July/August  2013  www.csoonline.com  $9  00  BUSINESS  RISK  LEADERSHIP 


Greener 


lilifil 

WMmMm 


TECH:  Digital  Drop  Boxes  Aren’t  a 
Cure-All  for  Anonymous  Sources  6 

RISK:  Security  Managers  Still  Don’t 
Understand  Mobile  Risks  14 

LEAD:  Why  Awareness  Gets  No  Respect  20 


•f*v*v  .v>y*v>: 


Industry-Leading 
Database  Performance 


^00h 


Business 
Operations 
Per  Second: 
Unparalleled 
Cisco  Server 
Performance. 


Cisco  Unified 

Computing 

System 


irforms  RISC  by 


Unparalleled  Application  Performance 
with  Cisco  Servers. 


With 

Inter’  XeoW 
processors 


•  1 1 1  •  1 1 1  • 
CISCO. 


TOMORROW 
starts  here. 


For  more  performance  information,  visit  cisco.com/go/ucsbenchmarks. 

I  Based  on  SPECjbb2005  benchmark  on  Cisco  UCS  C220  M3  server  at  1.584,567  BOPS,  792.284  BOPS/JVM.  2.  Based  on  TPC  Benchmark  C  Results  on  2  Processor  Systems.  Cisco  UCS  C240  M3  High-Density  Rack  Server  with  Oracle  Database  1 1g 
Release  2  Standard  Edition  One,  1,609.186.39  tpmC.  $0.47/tpmC.  available  9/27/1 2  compared  to  IBM  Power  780  Server  Model  91 79-MHB  with  IBM  DB2  9.5,  1,200,011.00  tpmC,  $0.69/tpmC,  available  10/13/10.  3  Based  on  SPECjEnterprise2010 
benchmark  with  8  total  Java  EE  Server  processors  on  Cisco  UCS  B440  M2  servers  at  26. 1 18.67  EjOPS  compared  to  RISC-based  IBM  Power  780  at  16,646.34  EjOPS.  SPEC”,  SPECjbb ”.  and  SPECjEnterprise”  are  registered  trademarks  of  Standard 
Performance  Evaluation  Corporation.  TPC  Benchmark  C”  is  a  trademark  of  the  Transaction  Performance  Processing  Council  (TPC).  The  performance  results  described  here  are  derived  from  detailed  benchmark  results  available  at  http://www.spec.org 
and  http://www.tpc  org  as  of  1-15-2013.  ©2013  Cisco  and/or  its  affiliates.  All  rights  reserved.  All  third-party  products  belong  to  the  companies  that  own  them.  Cisco,  the  Cisco  logo,  and  Cisco  UCS  are  trademarks  or  registered  trademarks  of  Cisco. 
Intel,  the  Intel  logo.  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.  S.  and/or  other  countries.  All  other  trademarks  are  the  property  of  their  respective  owners. 


Cover  illustration  by  Jason  Schneider 


\v 


ERM: 

Old  Concept, 
New  Ideas 

26  Enterprise  risk 
management  may 
be  old  hat,  but  some 
CSOs  are  using  it 
in  innovative  ways. 
Here’s  how  it  can 
bring  your  security 
program  into  the 
future. 

BY  TAYLOR  ARMERDING 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 


July/August  2013  Volumel2,  Number  6 


n 

'C*. 


120 


tech 


6  Digital  Drop  Boxes  Aren’t  a 
Cure-All  for  Anonymous  Sources 

8  Utilities  Are  Badly  Defended- 
and  Face  Daily  Attacks 

10  Stop  Criticizing  Mandiant’s  APT1  Report 

11  If  You  Want  to  Crack  Down  on 
Ransomware,  It’s  Time  to  Fight  Fire 
With  Fire,  Commission  Says 

12  Chinese  Hackers  Snooped 
on  FBI  and  DoJ  Records 

13  Vendors ‘Clueless’ on 
Industrial  Control  Systems 


risk 


14  Security  Managers  Still  Don’t 
Understand  Mobile  Risks 

18  10  Ways  to  Reel  In  Funding  for  Security 


lead 


20  Why  Awareness  Gets  No  Respect 

24  Why  You  Need  a  Security  Buddy 
(And  How  to  Find  One) 

25  5  Ways  to  Build  a  Collaborative 
Risk-Management  Program 


last 


32  Ten  Tweets:  Gunter  Oilman 


JULY/AUGUST  2013  www.csoonline.com  1 


ERM  Redux 


Enterprise  risk  management,  when  used  as  part  of  an 
overall  security  program  strategy,  has  its  proponents  and  its  critics. 


It’s  certainly  not  a  new  concept-ERM  has 
taken  on  various  forms  over  the  years.  Some  see 
it  as  way  to  set  up  a  holistic  approach  to  secur¬ 
ing  an  organization,  one  that's  based  on  its  in¬ 
dividual  business  needs,  as  well  as  the  kinds  of 
threats  the  organization  faces  each  day. 

Others  say  ERM  is  an  outdated  way  for  busi¬ 
nesses  to  simply  practice  check-the-box  compli¬ 
ance  with  little  strategic  thinking.  And,  in  fact, 
many  organizations  still  don’t  have  a  formal 
ERM  approach  in  place. 

So  why  is  ERM  the  topic  of  this  month’s  CSO 
cover  story?  What’s  new?  It's  the  way  forward- 
thinking  security  managers  are  using  ERM  to 
give  their  security  strategy  a  fresh  new  ap¬ 
proach  to  identifying  threats,  setting  priorities, 
proving  business  value  and  working  with  other 
departments  to  understand  the  unique  risks 
and  challenges  each  unit  faces. 

Inside  we  offer  advice  from  CSOs  on  how 
to  give  your  organization's  approach  to  ERM  a 
makeover.  Whether  you  have  no  actual  ERM 


plan  or  are  seeking  ways  to  update  your  com¬ 
prehensive  approach  to  risk,  we  hope  you’ll  find 
insight  you  can  use  to  help  you  make  decisions, 
and  perhaps  even  changes,  to  find  an  ERM  ap¬ 
proach  that’s  right  for  your  business. 

-Joan  Goodchild,  Editor, 
igoodchild@cxo.com 


Editor 

Joan  Goodchild 
igoodchild@zxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Bill  Brenner,  Taylor  Armerding,  Mary 
Brandel.  John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer, 
Jeremy  Kirk,  Richard  Power, 
Jaikumar  Vijayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:847  564-9453 
cso@omeda.com 


CSO  (ISSN  I540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box 
9208.  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Centei.  222  Rosewood  Drive.  Danvers.  MA  01970.  www.copyright.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  |.  Address  inquiries  to  CSO.  P.O.  Box  3482,  Northbrook,  II  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.O  Box  3482,  Northbrook.  II 60065.  Printed  in  the  USA. 


2  www.csoonline.com  JULY/AUGUST  2013 


IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 

«?BPA 

WORLDWIDE" 


ADVERTORIAL 


Russ  Dietz 


Protecting  Your  IP  Across 
the  Entire  Threat  Lifecycle 


Cyberwarfare  is  shifting  the  balance  of 
power  in  the  global  economy.  Battles  are 
being  fought  by  global  corporations  and 
by  real  people  with  real  money  and  real 
technology.  They’ve  got  your  organization’s 
intellectual  property  (IP)  in  their  cross¬ 
hairs,  and  its  untapped  markets  in  their 
business  plans.  Your  organization  risks 
losing  value  when  its  IP  is  stolen  and  used 
to  another  organization’s  competitive 
advantage. 

I’m  not  being  a  fear  monger.  There’s  a  lot  of 
money  to  be  made  with  confidential  infor¬ 
mation,  and  someone  somewhere  is  likely 
targeting  your  organization’s  secrets. 


company,  “What  if  another  company 
started  drilling  where  your  geologic 
analysis  indicated  untapped  resources, 
because  it  stole  or  was  sold  your 
planning  maps?” 

I  usually  get  blank,  fearful  stares.  “Really?” 
they  say.  “We  can’t  have  that  happen.” 

What  a  modern  solution  looks  like 

I  believe  that  organizations  are  increas¬ 
ingly  aware  of  the  need  to  protect  their  IP 
in  all  its  forms  (though  many  still  don’t 
realize  the  magnitude  of  the  situation).  The 
problem  is  they  don’t  know  how  to  do  it. 


CHIEF  TECHNOLOGY  OFFICER 

Russ  Dietz  is  chief  technology 
officer  and  executive  vice  president 
of  products  for  Websense,  a  global 
leader  in  unified  web  security,  email 
security,  mobile  security  and  data 
loss  prevention  (DLP).  He  oversees 
Websense  security  technology, 
product  strategy  and  R&D,  and  leads 
the  engineering,  product  manage¬ 
ment  and  security  labs  teams. 

Visit  www.websense.com 


websense 


websense’ 

TRITON 


IP  is  more  than  trade  secrets 

It’s  important  to  recognize  that  IP 
comprises  more  than  proprietary  tech¬ 
nologies  and  secret  recipes.  It  also  includes 
sensitive  information  under  the  custody  of 
your  organization  —  information  that,  if 
stolen,  could  be  used  to  extort  money  from 
your  corporate  coffers. 

For  example,  for  a  medical  organization 
such  as  a  hospital,  IP  includes  personally 
identifiable  information  (PII),  the  loss  of 
which  could  expose  a  hospital  to  bad  press, 
high  fines  and  outraged  patients.  Armed 
with  the  stolen  PII,  a  cybercriminal  knows 
all  too  well  that  he  has  the  hospital  over 
a  barrel. 

Moving  beyond  compliance 

Securing  confidential  information  is  no 
longer  just  about  maintaining  compliance. 
It’s  also  a  matter  of  protecting  competitive 
advantage.  The  theft  of  IP  touches  every 
industry,  from  manufacturing  to  pharma¬ 
ceuticals  to  chemicals  to  high  technology, 
and  prevents  organizations  worldwide  from 
entering  markets  they  otherwise  might  be 
poised  to  profit  from. 

I’ve  consulted  with  a  lot  of  global 
companies  on  their  security  programs. 

I’ll  hypothetically  ask  a  manufacturer, 
“What  would  happen  if  you  explored 
expanding  into  a  new  market,  only  to 
discover  that  your  product  beat  you  to  it 
because  your  IP  was  stolen  and  used  by 
another  company?”  I  might  ask  an  oil 


In  the  past,  we  in  the  information  security 
industry  relied  upon  actual  data  breaches 
to  learn  how  to  protect  from  future  such 
incidents.  We  called  this  the  “sacrificial 
lamb”  model,  and  it  relied  upon  a  certain 
degree  of  attack  predictability.  The  prob¬ 
lem  with  today’s  data  attacks  is  we  have  no 
idea  where  a  persistent  threat’s  lifecycle  is 
going  to  start,  and  we  have  no  idea  how  it’s 
going  to  escalate. 

Fortunately,  we  do  know  what  a  complete 
solution  looks  like.  It  includes  threat  intel¬ 
ligence  and  what  I  call  the  “three  pillars” 
of  web,  email  and  data  security: 

•  Threat  intelligence,  to  show  us 
how  a  threat  grows  and  evolves. 

•  Web  security,  because  threats 
migrate  around  and  within  an 
organization  via  this  channel. 

•  Email  security,  because  escalation 
of  privilege  is  how  threats  get  access 
to  highest  value  IP. 

•  Data  security,  because  inbound 
and  outbound  data  flows  can  hide 
bad  stuff  coming  in  and  good  stuff 
going  out. 

This  approach  goes  beyond  traditional  or 
even  next-generation  security  defenses 
such  as  firewalls  and  web  proxies;  individ¬ 
ually,  and  even  together,  these  might  cover 
part  of  the  threat  lifecycle.  But  if  you  don’t 
cover  the  entire  lifecycle  —  if  you  don’t 
have  threat  intelligence  and  the  “three 
pillars”  —  you  won’t  solve  this  problem. 

In  fact,  it’d  be  impossible  to  solve.  ■ 


Lessons  From  the  PRISM  Scandal 

It  used  to  be  that  every  month  I  would  sit  down  at  my  laptop 
as  deadline  approached  with  almost  no  idea  what  I  was  going  to 
write  about.  I  long  for  those  days;  it  seems  that  for  the  past  year  or 
more  I’ve  had  no  trouble  finding 
security  issues  to  discuss. 

This  month  is  no  different.  As  I  sit  down  to 
write,  news  is  breaking  about  the  NSA’s  PRISM 
data-collection  effort,  and  bloggers  and  com¬ 
mentators  are  having  Christmas  in  June.  But 
regardless  of  your  opinion  on  this-it’s  good,  it’s 
bad,  you’re  not  sure-my  takeaway  is  that  it’s 
incredibly  difficult  to  know  where  your  true  risks 
lie  and  it’s  vital  to  understand  the  insider  threat. 

This  story  was  uncovered  when  an  insider 
named  Edward  Snowden,  a  former  employee  of 
the  CIA  who,  at  the  time  of  the  leak,  was  work¬ 
ing  at  the  NSA  for  contractor  Booz  Allen  Ham¬ 
ilton,  decided  to  go  public  with  the  program 
to  The  Guardian.  Snowden  had  been  with  Booz 
Allen  for  only  three  months  (he’s  since  been 
fired),  and  after  he  leaked  this  information 
he  high-tailed  it  to  China.  Hmmm.  Makes  you 
wonder.  But  the  China  connection  aside,  this  is 
a  classic  example  of  the  threats  posed  by  insid¬ 
ers,  even  insiders  who  work  for  contractors,  not 
directly  for  your  business. 

We’ve  spent  a  lot  of  time  over  the  years  talk¬ 
ing  about  managing  insider  threats,  and  our 
website,  CSOonline.com,  is  rich  with  articles  on 
the  topic.  But  the  most  important  thing  I  want 
you  to  take  away  is  the  understanding  that  your 
insiders,  whether  they  work  for  you  or  for  some¬ 
one  in  your  supply  chain,  may  hold  the  keys  to 
the  kingdom  in  their  hands. 


Advertiser  Index 

ASIS  International . 

Cisco  Systems,  Inc . C2 

cso . 


4  www.csoonline.com  JULY/AUGUST  2013 


. . .  .17 

Executive  Women's  Forum . 

. 9 

Security  Smart  ... 

...C2 

HIDCorp . 

. 5 

VCE  Company.  LLC 

21,23 

...15 

Quantum  Secure  Inc . 

. C4 

Websense  Inc . 

Remember  Bradley  Manning  and  WikiLeaks? 
He  was  a  classic  insider  trading  away  informa¬ 
tion  from  his  own  organization.  Snowden  is  an 
insider  by  way  of  a  contractor.  Regardless,  you 
trust  the  people  you  employ  to  do  the  right 
thing  and  to  act  in  the  best  interests  of  your 
organization.  Just  keep  tucked  away,  in  the  back 
of  your  mind,  the  idea  that  one  in  a  hundred 
or  so  may  turn  on  you.  Call  it  a  healthy  dose  of 
skepticism,  if  you  will. 

Not  every  employee  is  a  Bradley  Manning  or 
an  Edward  Snowden,  but  they  are  out  there. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


,C3 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources 
Patricia  Chisholm 
SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  & 
Custom  Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &CMO  BobMeik 
SVP  SGeneral  Manager, 

Online  Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager, 

CIO  Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWegtage 

Sales 

Publisher  Bob  Bragdon 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Sales  Director  -  West  Mary  Hazelton 
Sales  Assistant  Kelsey  Scheidemantel 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100, 
cso@theygsgroup.com 


Webb  Chappell 


Identify  all 


Learn  about  the 
assurance  that  comes 
with  the  Power  of  One. 
hidglobal.com/ 
powerOne  or  Scan 
this  with  a  QR  reader 


Only  HID  Global  has  the  capability  to  take  care  of  all 
your  company’s  identity  assurance  needs  through  a  single 
trusted  source. 


From  IT  to  corporate  security,  from  credentials  to  authentication  to  management  services,  HID 
Global  is  the  only  one  ready  to  provide  a  best  in  class  Identity  Assurance  solution  that  goes  beyond 
a  simple  password.  Each  user  receives  a  single  identity  credential  that  can  be  authenticated 
across  multiple  access  points  and  devices.  One  identity.  One  security  policy.  One  trusted  source. 
Only  from  HID  Global.  The  Power  of  One. 

For  more  information,  visit  hidglobal.com/powerone-cso 


©  2012  HID  Global  Corporation/ASSA  ABLOY  AB.  All  rights  reserved.  HID.  HID  Global,  the  HID  Blue  Brick  logo  and  the  Chain  Design  are  trademarks  or  registered  trademarks 
of  HID  Global  or  its  licensor(s)/supplier(s)  in  the  US  and  other  countries  and  may  not  be  used  without  permission.  All  other  trademarks,  service  marks,  and  product  or  service 
names  are  trademarks  or  registered  trademarks  of  their  respective  owners. 


TOOLS  SYSTEMS  NETWORKS  DATA  PRIVACY 


Digital  Drop  Boxes  Aren’t  a 
Cure-All  for  Anonymous  Sources 

The  New  Yorker's  Strongbox  preserves  anonymity  at  the  price  of  authentication  by  john  p.  mello  jr. 


FOLLOWING  NEWS  THAT  THE 
Department  of  Justice,  while  seeking  the 
source  of  an  information  leak,  secretly 
obtained  the  Associated  Press’s  phone 
records,  The  New  Yorker  launched  an  online 
scheme  to  receive  sensitive  documents  while 
guarding  the  identity  of  their  sources. 

The  service,  called  Strongbox,  is  based 
on  a  project  developed  by  Kevin  Poulsen,  a 
black  hat  hacker  turned  magazine  editor,  and 


Aaron  Swartz,  who  took  his  own  life  in  January 
after  the  DoJ  aggressively  prosecuted  him  for 
downloading  academic  articles  in  bulk. 

Strongbox  is  an  elaborate  system  involving 
Tor  (a  network  that  preserves  the  anonym¬ 
ity  of  its  users),  multiple  computers,  multiple 
thumb  drives  and  PGP  encryption.  While 
this  Byzantine  arrangement  provides  strong 
protection  of  a  source’s  identity,  it  removes 
another  important  element:  authentication. 


"When  you’re  dealing  with  anonymous 
sources,  they’re  not  anonymous  to  you-you 
know  who  they  are,"  says  Dan  Kennedy,  an 
assistant  journalism  professor  at  Northeast¬ 
ern  University.  “That  is  an  important  part  of 
the  consideration  that  goes  into  whether  you 
use  the  source  or  not.” 

A  system  where  anonymous  leakers  are 
dropping  documents  into  a  folder  has  advan¬ 
tages  when  government  investigators  start 


6  www.csoonline.com  JULY/AUGUST  2013 


VBLOCK 


FASTER 

DEPLOYMENT 


LOWER  COST  PER  USER 


THE  NUMBERS  ADD  UP. 

VCE  VBLOCK™  SYSTEMS 


Focus  on  business,  not  infrastructure.  Vblock  Systems 
are  built  on  the  Cisco  Unified  Computing  System 
with  Intel®  Xeon®  processors,  storage  from  EMC  and 
virtualization  from  VMware.  The  results  speak  for 
themselves  -  more  productivity  with  less  cost. 

Learn  more  at  www.VCE.com/ROI 


HIGHER 

AVAILABILITY 


inside 


c  2013  VCE  Company.  LLC.  All  Rights  Reserved.  Vblock  and  the  VCE  logo  are  trademarks  or  registered  trademarks  of  VCE  Company  LLC  and/or  its  affiliates  in  the  United  States  and  other  countries.  Intel,  the  Intel  logo, 
Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  All  other  trademarks  used  herein  are  the  property  of  their  respective  owners.  Numbers  based  on 
IDC  Whitepaper:  "Converging  the  Datacenter  Infrastructure:  Why  How.  So  What?“  May  2012. 


Tech 


probing  a  story’s  sources,  but  it  also  creates  tre¬ 
mendous  disadvantages.  "The  government  can't 
come  after  you  to  find  out  who  gave  you  the 
document  because  you  have  no  way  of  knowing," 
Kennedy  says.  “That  gives  more  protection  to  the 
source,  but  it  makes  it  harder  to  vet  the  document 
because  you  don't  know  who  gave  it  to  you.  It 
makes  news  organizations  into  Wikileaks." 

All  sources,  anonymous  or  not,  have  to  be  eval¬ 
uated.  That’s  impossible  to  do  without  context. 
“Knowing  your  source’s  motivations  helps  con¬ 
textualize  the  information,”  says  Mark  Jurkowitz, 
associate  director  for  the  Pew  Research  Project 
for  Excellence  in  Journalism.  “A  solution  that  pre¬ 
vents  the  news  organization  from  knowing  the 
identity  of  a  confidential  source  has  value,  but 
it’s  not  an  ideal  solution  because  it  is  important 
to  know  the  identity  of  the  source  to  weigh  the 
information.” 

“Information  supplied  by  a  confidential  source 
needs  to  be  evaluated,  weighed  and  understood 
in  the  same  way  that  information  of  somebody 
speaking  on  the  record  does,”  he  adds. 

Systems  like  Strongbox  can’t  substitute  for 
the  give-and-take  between  journalists  and  their 
sources.  “Technology  is  a  tool,  not  a  solution,” 
says  Ben  Wizner,  director  of  the  American  Civil 
Liberties  Union’s  Speech,  Privacy  and  Technology 
Project.  “The  New  Yorker  is  doing  the  best  it  can 
to  provide  one  way  for  sources  to  provide  infor¬ 
mation  without  leaving  a  trail,  but  I  don't  see  this 
as  a  solution  for  investigative  journalism  more 
broadly,”  he  says. 

In  the  end,  the  solution  may  lie  not  in  comput¬ 
ers  but  in  laws  and  courts.  The  DoJ’s  actions  have 
resurrected  the  old  legislative  argument  about 
shield  laws  for  journalists,  although  it’s  unlikely 
that  any  shield  law  would  have  protected  the  AP 
in  this  case,  as  the  DoJ  claimed  national  security 
issues  were  involved. 

“It  is  inconceivable  that  any  shield  law  could 
ever  be  passed  unless  it  had  a  pretty  significant 
loophole  for  national  security,”  Northeastern’s 
Kennedy  says. 

News  organizations  could  also  challenge  the 
DoJ’s  actions  in  court.  “If  they  can  get  a  court 
case  on  the  record  that  says  this  kind  of  search 
is  an  overreach,  then  that  would  tangibly 
strengthen  the  protections  given  to  journalists,” 
Jurkowitz  says. 


Utilities  Are  Badly  Defended- 
and  Face  Daily  Attacks 


UTILITY  COMPANIES  ARE  MAKING  ONLY  MINIMUM  EFFORTS  TO 
protect  their  facilities  from  persistent  and  unrelenting  cyberattacks, 
according  to  a  Congressional  report. 

Utilities  are  complying  with  mandatory  cybersecurity  standards,  but 
aren’t  going  any  further  to  protect  their  critical  assets  from  online  maraud¬ 
ers,  says  a  report  by  Reps.  Edward  Markey  (D-Mass.)  and  Henry  Waxman 
(D-Calif.). 

“Utilities  tend  to  be  compliance-driven  and  audit-driven,  versus  doing  the 
right  thing,”  says  Vivek  Shivananda,  CEO  of  Rsam,  a  maker  of  enterprise  risk 
management  and  compliance  tools.  “They  tend  to  stick  to  the  letter  of  the 
law  and  do  what  has  to  be  done  to  keep  the  lights  on,  but  they’re  not  nec¬ 
essarily  taking  a  holistic  approach— what  needs  to  be  done  from  an  overall 
threat  and  risk-management  perspective.” 

Compliance,  though,  can  actually  be  an  impediment  to  better  security, 
says  Phyllis  Schneck,  McAfee  vice  president  and  CTO  for  the  public  sector. 
She  cited  several  energy  companies  who  wanted  to  upgrade  their  cyber  pro¬ 
tections  by  going  to  a  white-listing  product  but  balked  because  regulations 
specified  antivirus  software. 

“Companies  shouldn’t  be  faced  with  having  to  choose  between  being 
secure  and  being  compliant,”  Schneck  says. 

The  Markey-Waxman  report,  based  on  information  gathered  in  a  survey 
containing  15  questions  and  sent  to  more  than  150  utility  companies,  found 
that  the  electric  grid  is  the  target  of  numerous  and  daily  cyberattacks, 
which  include  phishing  emails,  malware  infections  and  unfriendly  probes. 

Unlike  missiles  or  planes,  which  can  be  detected  by  radar,  the  Trojans, 
viruses,  worms  and  purpose-built  malware  that  constitute  cyberattacks  are 
not  easily  and  immediately  detected,  explains  Torsten  George,  vice  presi¬ 
dent  of  worldwide  marketing,  products  and  support  for  Agiliance. 

“Since  virtually  every  provider’s  IT  network  is  connected  to  public  net¬ 
works  in  order  to  share  production,  capacity  and  other  information,  the 
threat  is  very  real,"  he  says.  “While  the  energy  industry  has  taken  proactive 
steps  by  establishing  standards  for  critical  infrastructure  protection  against 
cyberattacks,  implementation  of  these  guidelines  remains  a  challenge.” 

—John  P.  Mello  Jr. 


8  www.csoonline.com  JULY/AUGUST  2013 


11^Amuo£ 


Da/F 


Alta  Associates’ 

Executive 
Women’s  Forum 

Information  Security.  Risk  Management  £  Privacy 


EARN 

up  to  1 9  CPE  Credits 

BUILD  A  NETWORK 

OF  THE 

Most  Dynamic  Women 
in  Our  Industry 

TAKE  HOME  TOOLS, 

Best  Practices 
&  Solutions  to 
Achieve  Success 


WJcfvietv  o(j 

jAM)aAct\s 

Nominate  your  peers,  clients 
and  customers  for  the 
Women  of  Influence  Awards. 
Co-presented  by  CSO  Magazine  and 
Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and 
leadership  roles  in  the  fields  of  security, 
risk  management  and  privacy. 

Winners  will  be  announced  at  a 
ceremony  during  the  EWF  event. 

FOR  NOMINATION  FORM 
GOTO:  www.ewf-usa.com 

Nominations  must  be  submitted 
by  August  15,  2013 


October  22-24,  201 3 

Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Utilizing  Risk 
as  an  Enabler 

A  View  From  The  Top 

Patricia  Titus,  CISO,  Francoise  Gilbert  author  Global  Privacy 
and  Security  Law  and  Samantha  Ravich,  Co-Chair  National 
Commission  for  Review  of  R&D  Programs  in  the  Intelligence 
Community  provide  executive  briefings  and  facilitate  discussion 
groups  on  issues  facing  CISOs  &  CPOs,  the  global  threat  land¬ 
scape,  international  privacy  laws  and  government  regulations. 

►  Deep  Dives  &  Strategic  Approaches 

Edna  Conway,  Cisco's  Chief  Security  Officer  of  Global  Supply  Chain 

shares  a  method  for  driving  protection,  prevention  and  detection 
of  security  impediments  in  the  next  security  frontier:  Supply  Chain. 
Interactive  workshops  and  lightning  talks  focus  on  emerging 
challenges  in  mobility,  third  party  risk,  metrics  and  big  data. 

►  Application  of  Best  Practice 

Joanne  Moretti,  CMO  at  Dell  Software  teaches  a  methodology  and 
framework  for  collecting  and  tying  security  initiatives  directly  to 
business  drivers.  Learn  how  to  clearly  message  the  business  value 
of  security/risk/privacy  investments. 


FORUM  HOST  & 
AWARDS  CO-PRESENTER 


FORUM  HOST  & 
AWARDS  CO-PRESENTER 


QT  DIAMOND  SPONSORS 

(DC4.L)  Software 


ini 

| 

Microsoft 

JOOCOOOOOOOOOOOOOO 

2$  Symantec 


Cunvflr  MrMun  l 

Information  Networking  Institute 


For  more  information  on  the  EWF  or  to  register, 
please  visit:  www.ewf-usa.com 


Tech 


SALTED  HASH 


Stop  Criticizing  Mandiant’s  APT1  Report 


IN  FEBRUARY,  INFORMATION-SECU- 
rity  company  Mandiant  released  a  report 
called  “APT1:  Exposing  One  of  China’s  Cyber 
Espionage  Units.”  The  74-page  tome  told 
the  story  of  a  professional  cyber-espionage 
group  that  Mandiant  dubbed  APT1  and  that, 
if  not  sponsored  by  the  Chinese  govern¬ 
ment,  certainly  operated  with  its  knowledge. 
Mandiant  also  released  more  than  3,000 
APT1  indicators,  including  domain  names,  IP 
addresses,  encryption  certificates  and  hashes 
of  malware. 

The  criticism  began  almost  immediately 
and  took  three  main  forms: 

■  Criticism  of  Mandiant’s  motivations-they 
did  it  for  the  media  coverage 

■  Criticism  of  the  conclusions,  methods  and 
sources 

■  Criticism  of  Mandiant’s  rough  treatment 
of  the  operational  security  of  researchers 
combating  APT  out  of  China 

With  the  benefit  of  20:20  hindsight,  I  will 
address  those  concerns. 

Clients  Want  Attribution 

Every  customer  who  has  been  hacked 
wants  to  know,  “Who  did  this  to 
me?”  It’s  not  a  question  of  prosecu¬ 
tion.  Most  of  them  would  never  want 
to  prosecute-they  don't  want  the 
publicity.  It’s  merely  human  nature  to 
want  to  know  who  attacked  you. 

And  why  do  we  information  secu¬ 
rity  professionals  ignore  this  primal 
desire?  Because  of  our  egos. 

There’s  a  complex  and  richly  struc¬ 
tured  set  of  lies  we  tell  ourselves, 
that  our  work  is  really  Secret  Squirrel  and 
Important  Stuff,  and  so,  above  all,  we  must 
maintain  op-sec  lest  someone  else  see  this 
valuable  information.  According  to  op-sec,  if 
we  reveal  what  we  know,  then  the  enemy  will 
have  a  tactical  advantage  and  we  can’t  inter¬ 
rupt  their  kill-chain. 

Tosh. 


We’re  watching  network  traffic  and  finding 
evidence  in  memory  and  hard  drives.  They’re 
rarely  covered  with  blood,  and  almost  never 
contain  a  holographic  projection  of  a  princess 
begging  for  help.  What  we  see  is  evidence  of 
workaday  plots  to  steal  information. 

Unclench. 

The  threat  research,  threat-intelligence 
and  incident  response  field  is  covering,  by  my 
estimation,  5  percent  to  10  percent  of  the 
incidents  we  know  about.  Within  that  slice, 
we’re  making  progress-that  is,  establishing 
actual  attribution-about  5  percent  of  the 
time,  and  actually  using  that  evidence  for 
criminal  prosecution  at  some  level  measured 
in  basis  points. 

At  a  minimum,  we  as  a  community  are 
over-classifying,  a  mistake  that’s  merely 
annoying  when  the  FBI  does  it,  but  which 
leads  to  real  information-sharing  dysfunc¬ 
tion  when  we  do  it  to  one  another.  Op-sec  in 
the  name  of  protecting  these  few  victories 
actually  lowers  our  efficacy  rate,  and  comes 


at  the  cost  of  not  meeting  our  customers’ 
primal  need  to  understand  what’s  happening 
to  them. 

Self-Serving?  Who  Cares 

Was  the  report  self-serving?  Of  course  it 
was;  Mandiant  is  a  profit-seeking  enterprise. 
But  here's  the  crucial  question:  Did  the  report 


enhance  our  ability  to  carry  out  our  mission? 

The  answer  is  definitively  “yes.” 

Mandiant’s  APT1  report  helped  the  infor¬ 
mation  security  mission  by  cutting  in  half  the 
length  of  the  “Is  this  real?"  conversation  we 
have  at  every  engagement.  Only  Mandiant 
has  the  PR  juice  and  fundamental  chutzpah 
to  put  this  all  out  there  and  be  taken  seriously. 

Did  the  publicity  help  Mandiant?  Of  course 
it  did,  as  it  should  have.  But  it  also  greatly 
helped  us  as  a  community. 

Forcing  Industry  Cooperation 

Flow  did  it  help  us?  Within  a  week  we  had 
massive  discussion  chains  running  with  “Me, 
too!”  posts  from  vendors  and  others  figuring 
out  ways  to  use  the  information  in  the  report. 
The  popularity  of  the  Mandiant  report  forced 
the  community  to  share  stuff  as  never  before. 

So  don’t  give  me  your  op-sec  bullpuckey — 
let’s  go  for  sec.  Once  we  have  security,  then 
you  can  play  Cyber  War  with  your  little  secret 
ops  and  not  share  information  that  is  of  use 
to  us  all. 

In  Summary 

Mandiant  helped  the  community 
by  helping  us  understand  that,  only 
for  the  sake  of  publicity  and  market¬ 
ing  will  security  vendors  care  enough 
about  the  community  that  they  will 
release  enough  information  for  the 
rest  of  us  to  use  for  defense. 

It  showed  that  we  are  stronger 
when  we  team  up  and  stop  pretend¬ 
ing  to  be  secret  agents  with  classified 
crucial  information,  unclench  our 
sphincters  and  share,  than  we  are  when  we 
try  to  hold  on  to  every  little  thing  in  the  name 
of  “op-sec." 


■  Nick  Selby  is  a  police  officer,  blogger 
at  PoliceLedlntelligence.com  and  CEO  of 
StreetCred  Software,  which  makes  case- 
management  software  for  law  enforcement. 


lO  www.csoonline.com  July/August  2013 


Reuters/Yuri  Gripas 


Reuters:  Mike  Segar  (Hunstman);  Richard  Clement  (Blair) 


If  You  Want  to  Crack  Down  on  Ransomware, 

It’s  Time  to  Fight  Fire  With  Fire,  Commission  Says 


BURIED  IN  A  100-PAGE  REPORT  BY 
the  Commission  on  the  Theft  of  American 
Intellectual  Property  was  a  recommenda¬ 
tion  to  copy  a  tactic  cyberscammers  use  to 
extort  money  from  innocent  victims. 

The  IP  Commission-a  private  panel  of 
politicians,  military  and  defense  officials 
and  technology  leaders-is  co-chaired  by 
Jon  Huntsman,  former  governor  of  Utah  and 
former  U.S.  ambassador  to  China,  and  Den¬ 
nis  Blair,  a  retired  Navy  admiral  and  former 
director  of  national  intelligence. 

Some  of  the  commission’s  more  than  20 
recommendations  include  granting  com¬ 
panies  the  power  to  lock  files  and  cripple 
computers.  The  reports  says,  “Software  can 
be  written  that  will  allow  only  authorized 
users  to  open  files  containing  valuable 
information. 

“If  an  unauthorized  person  accesses  the 
information,  a  range  of  actions  might  then 
occur.  For  example,  the  file  could  be  ren¬ 
dered  inaccessible  and  the  unauthorized 
user’s  computer  could  be  locked  down,  with 


instructions  on  how  to  contact 
law  enforcement  to  get  the 
password  needed  to  unlock  the 
account.” 

That’s  essentially  the  same 
tactic  used  by  scammers  who 
try  to  panic  users  into  paying 
a  ransom  to  regain  control  of 
their  computers. 

This  kind  of  malware,  which 
is  called  “ransomware”  or 
“scareware,”  cripples  a  PC  or 
encrypts  its  files,  then  displays 
a  ransom  note  demanding  pay¬ 
ment  to  restore  control  to  the 
owner.  The  technique,  flatly 
called  “an  extortion  racket”  by 
Symantec  in  late  2012,  has 
been  in  use  since  at  least  2006. 
Until  last  year,  however,  it  was 
rare  and  ineffective,  and  seen  mostly  in 
Eastern  Europe. 

In  fact,  a  common  hacker  stratagem  is  to 
deliver  on-screen  messages  to  victims  that 
appear  to  be  from  law  enforce¬ 
ment  agencies,  just  as  the  com¬ 
mission  proposed. 

Last  December,  for  example, 

Symantec  described  how  mes¬ 
sages  displayed  on  Americans’ 

PCs  by  the  Ransomlock  mal¬ 
ware  program  masqueraded  as 
warnings  from  the  FBI,  while 
German  users  saw  messages 
purportedly  from  Germany’s 
federal  police  force. 

The  commission  asserted 
that  its  proposed  ransomware- 
style  techniques  are  legal. 

“Such  measures  do  not  violate 
existing  laws  on  the  use  of 
the  Internet,  yet  they  serve  to 
blunt  attacks  and  stabilize  a 
cyber  incident  to  provide  both 


time  and  evidence  for  law  enforcement  to 
become  involved,”  the  report  says. 

Critics  quickly  began  comparing  the 
tactic  to  ransomware  and  denounced  the 
proposal. 

“Now  we  have  the  IP  Commission  sug¬ 
gesting  that  firms  be  allowed  to  use  basi¬ 
cally  this  same  technique-pop  up  on 
someone’s  computer  because  you  believe 
they’ve  stolen  something  from  you,  terrify 
them  with  law  enforcement  threats,  and 
lock  them  out  of  their  (possibly  crucial) 
data  and  applications  as  well,”  says  Lauren 
Weinstein,  the  co-founder  of  People  For 
Internet  Responsibility. 

“What  the  hell  are  these  guys  think¬ 
ing?  Outside  of  the  enormous  collateral 
damage  this  sort  of  ‘permitted  malware’ 
regime  could  do  to  innocents,  how  would 
the  average  user  be  able  to  tell  the  differ¬ 
ence  between  this  class  of  malware  and 
the  fraudulent  variety  that  is  currently  a 
scourge  across  the  Net?” 

-Gregg  Keizer 


JULY/AUGUST  2013  www.csoonline.com  11 


®  Tech 


12  www.csoonline.com  July/August  2013 


Chinese  Hackers  Snooped  on  FBI  and  DoJ  Records 


IN  JANUARY  2010,  GOOGLE  SHOCKED  THE  CYBER  WORLD 
by  confessing  it  had  been  the  target  of  an  advanced  persistent  threat 
lasting  months  and  mounted  by  hackers  connected  to  China’s  People 
Liberation  Army. 

“[We]  have  evidence  to  suggest  that  a  primary  goal  of  the  attackers 
was  accessing  the  Gmail  accounts  of  Chinese  human  rights  activists,” 
Google  Senior  Vice  President  and  Chief  Legal  Officer  David  Drummond 
wrote  in  blog  post  at  the  time. 

Now,  more  that  three  years  after  that  posting  on  what  came  to  be 
known  as  Operation  Aurora,  it  appears  the  marauders  were  after  more 
than  just  information  on  activists.  They  were  also  after  information  on 
investigations  that  the  FBI  and  Department  of  Justice  were  conducting 
on  Chinese  spies  in  the  U.S. 

The  Aurora  hackers  used  Google’s  servers  to  gain  access  to  a  data¬ 
base  that  contained  information  on  U.S.  surveillance  targets,  the 
Washington  Post  reported  in  May,  citing  former  and  current  government 
officials. 

Such  information  would  be  invaluable  to  China  because  it  would 
allow  its  intelligence  operatives  to  destroy  information  before  coun¬ 
terintelligence  agents  got  their  hands  on  it,  which  would  help  the  spies 
evade  capture  and  prosecution. 

The  database  included  years  of  surveillance  information,  including 


thousands  of  court  orders  issued  to  law-enforcement  officials  around 
the  nation  seeking  to  monitor  suspects’  email,  as  well  as  classified 
orders  targeting  foreign  subjects  and  issued  under  the  Foreign  Intel¬ 
ligence  Surveillance  Act. 

The  incident  sparked  a  tiff  between  Google,  the  DoJ  and  the  FBI,  the 
Post  reported,  because  the  federal  agencies  wanted  to  access  the  com¬ 
pany's  technical  logs  and  other  information  about  the  breach  to  assess 
the  potential  damage  done  to  its  counterespionage  efforts. 

Google  representative  Jay  Nancarrow  said  in  an  email  that  the  com¬ 
pany  is  not  commenting  on  the  matter  at  this  time. 

Google  wasn’t  the  only  target  of  Operation  Aurora.  More  than  20 
companies  were  attacked,  including  Adobe  Systems,  Juniper  Networks, 
Rackspace,  Yahoo,  Symantec,  Northrop  Grumman,  Morgan  Stanley  and 
Dow  Chemical. 

The  Aurora  attack  should  serve  as  an  object  lesson  for  organizations 
dealing  with  cloud  storage  run  by  a  third  party,  says  Alan  Brill,  senior 
managing  director  for  Kroll  Advisory  Solutions. 

"There’s  more  trust  being  given  to  cloud  services  than  some  of  them 
deserve,”  he  says.  “It  has  become  so  easy  [to  store  data  somewhere 
else]  that  you  might  store  something  somewhere  without  thinking 
whether  or  not  you  really  ought  to  do  that." 

-John  P.  Mello  Jr. 


CSO  Staff 


Vendors  ‘Clueless’  on  Industrial  Control  Systems 


MANY  I.T.  SECURITY  VENDORS  HAVE 
a  minimal  understanding  of  industrial  con¬ 
trol  systems  (ICS)  and  try  to  sell  technology 
that  could  easily  damage  the  devices  found 
in  plants  running  the  nation’s  critical  infra¬ 
structure.  experts  say. 

In  a  recent  blog  post,  Joe  Weiss,  an 
expert  in  industrial  systems  who  has  testi¬ 
fied  before  Congress  on  cybersecurity,  took 
the  IT  security  industry  to  task  for  believing 
it  can  provide  ICS  security  with  only  slight 
modifications  to  existing  products.  This 
approach,  Weiss  wrote,  shows 
no  understanding  of  the  tech¬ 
nology  that  the  vendors  are  try¬ 
ing  to  protect. 

“Before  they  really  start  pro¬ 
viding  technology  that’s  going 
to  be  applied  at  the  real-time 
control  layer,  they  better  have 
a  lot  of  domain  expertise,”  says 
Weiss,  founder  of  consultancy 
Applied  Control  Systems  and 
former  technical  manager  for 
the  Electric  Power  Research 
Institute.  By  “domain,”  Weiss 
means  the  actual  control  sys¬ 
tem  in  a  substation,  power  plant,  refinery 
or  pipeline. 

Too  often,  vendors  are  trying  to  apply 
security  designed  for  protecting  data  in  a 
traditional  IT  network,  which  has  very  few 
similarities  with  a  network  of  ICS  devices, 
experts  say.  For  example,  in  the  former 
environment,  a  malware-infected  computer 
is  simply  taken  off  the  network.  The  same 
approach  in  an  ICS  setup  could  lead  to  a 
catastrophe  in  a  power  plant,  manufactur¬ 
ing  facility  or  oil  and  gas  pipeline. 

“If  you  do  that  on  the  plant  floor,  you’ll 
blow  things  up  and  kill  people,”  says  Walt 
Boyes,  editor-in-chief  of  Control  magazine, 
which  covers  the  automation  industry. 

In  an  industrial  control  environment,  the 
data  is  only  important  in  terms  of  what  it 
is  telling  a  device  to  do,  such  as  opening  or 


closing  valves,  increasing  or  decreasing  the 
pressure  of  liquids  flowing  through  pipe¬ 
lines  or  raising  or  lowering  production  tem¬ 
peratures  in  a  manufacturing  plant. 

“One  of  the  big  things  we  care  about  is 
[machine-to-machine]  authentication,” 
Weiss  says.  “We  don’t  care  if  you  see  [the 
data],  but  we  damn  well  care  that  it’s  actu¬ 
ally  coming  from  where  you  thought  it  was 
coming  from.” 

Security  vendors  tend  to  be  Windows¬ 
centric,  which  is  the  dominant  operating 


system  in  IT  environments.  In  ICS,  the  tech¬ 
nology  often  includes  proprietary  embed¬ 
ded  operating  systems,  1200  baud  modems 
and  applications  where  using  a  286  proces¬ 
sor  is  considered  modern,  Weiss  says. 

IT  security  vendors  are  used  to  dealing 
with  such  limited  resources.  For  example, 
the  processing  power  used  in  a  typical 
update  of  signatures  in  antivirus  software 
would  take  down  some  ICS  devices  for  six  to 
eight  minutes. 

Even  the  most  innocuous  tasks  in  an  IT 
environment  could  spell  disaster  in  ICS. 

For  example,  pinging  all  the  devices  in  an 
IT  setup  to  see  which  hardware  is  running 
could  easily  cause  a  controller  in  an  ICS  to 
shut  down. 

“You  have  two  different  mind-sets,” 
Weiss  says.  “IT’s  mind-set  is  security  for  the 


sake  of  security.  They  don’t  understand  the 
physical  manifestations  [in  an  ICS]  of  doing 
something  that  may  be  perfectly  fine  on  a 
desktop.” 

IT  vendors  started  rushing  into  the  ICS 
security  market  after  the  federal  budget 
cuts  that  took  effect  March  1,  Boyes  says. 
The  sequester  presented  an  opportunity 
because  it  did  not  apply  to  spending  in  criti¬ 
cal  infrastructure  security. 

“What  we’re  seeing  now  is  a  new  land 
rush  of  people  who  have  been  doing  IT 

security  for  a  long  time  trying 
to  move  into  the  critical  infra¬ 
structure  cybersecurity  space,” 
he  says. 

Securing  the  nation’s  criti¬ 
cal  infrastructure  is  a  priority 
for  President  Obama,  who 
has  issued  an  executive  order 
requiring  government  agencies 
to  share  cyberattack  infor¬ 
mation  with  private  industry. 
Congress  is  also  addressing 
security  through  pending 
legislation. 

To  develop  the  right  security 
technology,  ICS  and  IT  vendors  need  to  col¬ 
laborate.  In  some  cases,  existing  technol¬ 
ogy  can  be  modified  for  use  in  an  ICS. 

“The  IT  world  has  done  an  awful  lot  more 
on  networking  than  we  have,  but  they’re 
not  looking  at  our  types  of  applications  and 
constraints,”  Weiss  says. 

Matthew  Luallen,  president  of  CYBATI, 
which  offers  control-system  cybersecu¬ 
rity  education,  recommends  that  vendors 
thoroughly  test  their  technology  in  an  ICS 
environment  and  that  buyers  make  sure  the 
tested  devices  match  what  they  use. 

“If  you’re  an  educated  customer,  you’re 
going  to  be  able  to  see  the  differences 
between  a  vendor,  a  consultant  and  who 
really  has  the  skills  and  who  doesn’t,”  Lual¬ 
len  says. 

-Antone  Gonsalves 


JULY/AUGUST  2013  www.csoonline.com  13 


Security  Managers  Still  Don’t 
Understand  Mobile  Risks 

Aaron  Turner  says  it’s  time  to  wake  up  to  the  massive  mobile  threat  landscape— both  at  home  and  abroad 

BY  JOAN  GOODCHILD 


FOR  THE  PAST  FEW  MONTHS,  SECURITY  VETERAN  AARON 
Turner  has  been  making  the  rounds  at  industry  events  presenting  some 
pretty  disturbing  information  about  the  state  of  mobile  security. 

Turner,  a  former  strategist  in  the  security  division  of  Microsoft, 
should  know.  He’s  been  working,  researching  and  developing  in  the  mo¬ 
bile  space  for  years.  After  Microsoft,  he  moved 
to  research  and  development  at  the  Depart¬ 
ment  of  Energy’s  Idaho  National  Laboratory. 

For  two  years,  Turner  worked  on,  and  eventu¬ 
ally  patented,  a  cellphone-based  payment  and 
identification  system  that  became  the  basis  for 
his  startup,  RFinity. 

From  there,  Turner  went  on  to  found  two 
more  companies:  IntegriCell,  where  he  and  his 
team  work  with  large  companies  to  uncover 
risks  associated  with  mobile  technologies,  and 
N4Struct,  which  focuses  on  assisting  organiza¬ 
tions  in  battling  against  advanced  persistent 
threats  (APT). 

Turner,  who  was  recently  a  presenter  at 
CSO’s  CS040  conference,  spoke  with  me  about 
the  coming  tide  of  vulnerabilities  he  sees  on 
mobile  platforms,  as  well  as  the  dark  days  that 
lie  ahead  until  security  managers  find  a  way  to  really  wrap  their  arms 
around  the  behemoth  problem  of  mobile  security. 

CSO:  In  your  CS040  presentation,  you  highlighted  the  new 
ways  attackers  are  using  mobile  devices  for  APTs.  Obviously, 
APTs  are  no  longer  just  a  hard-wired  network  threat  anymore. 

Aaron  Turner:  APT  is  an  overused  acronym-it’s  one  that  gets 
everyone  thinking  about  advanced  attack  capabilities,  so  I  used  it  to 
describe  what  we’re  starting  to  see  in  the  mobile  technology  ecosys¬ 
tem.  For  some  reason,  many  longtime  security  veterans  have  lost  their 
ability  to  remember  the  pains  that  we've  suffered  in  past  new-technol- 
ogy-adoption  cycles  when  it  comes  to  mobile. 


Whether  it  was  moving  from  mainframes  to  distributed  servers  or 
from  desktops  to  laptops,  we  as  infosec  professionals  often  didn’t 
understand  the  inherent  security  problems  in  technologies  until  it  was 
too  late  to  help  our  organizations  properly  mitigate  the  risks  that  new 
technologies  introduced  into  our  business  processes. 

Some  very  smart  infosec  leaders  are  sitting 
on  the  sidelines  while  mobile  security  problems 
cause  significant  incidents  in  their  organiza¬ 
tions.  The  reasons  that  mobile  is  now,  and  will 
continue  to  be,  especially  painful  from  a  secu¬ 
rity  perspective  are: 

■  Not  all  carriers  are  “friendly.”  Network  op¬ 
erators,  especially  those  in  parts  of  the  world 
where  rule  of  law  is  a  total  fantasy,  have  incred¬ 
ible  power  to  manipulate  the  information  flow¬ 
ing  to  and  from  mobile  devices  associated  with 
their  networks.  They  also  have  root  access  to 
install  any  persistent  software  on,  or  scrape  cre¬ 
dentials  from,  devices  on  their  networks. 

■  Becoming  a  “carrier”  is  getting  easier.  Rogue 
towers  can  be  set  up  to  trick  targeted  users’ 
devices  into  connecting  to  hostile  base  stations, 
and  then  inject  software  or  manipulate  infor¬ 
mation  sent  to  or  from  the  devices. 

■  Malicious  application  developers  have  realized  crime  pays.  The 
information  on  personally-owned  devices  that  are  connected  to 
enterprise  infrastructures  has  real  value.  Spearphishers  pay  excel¬ 
lent  money  for  contact  lists  that  are  obtained  from  mobile  devices. 
When  an  application  asks  for  arbitrary  access  to  your  address  book, 
it  may  not  be  to  share  your  awesome  high  scores  with  your  friends. 
Do  you  think  organizations  are  understanding  and  taking  the 
threat  among  these  new  mobile  attack  vectors  seriously  yet? 
Are  security  managers  really  getting  it?  Why  or  why  not? 

The  most-security-aware  organizations  are  taking  these  threats 


14  www.csoonline.com  JULY/AUGUST  2013 


CSO  Perspectives  on  a  regional  seminar 

BIG  DATA  SECURITY 


PERSPECTIVES 


MAY  15,  2013  I  NEW  YORK,  NEW  YORK 


THANK 

YOU 

TO  OUR 
SPONSORS 


PLATINUM 


ormetric 


m^K<y 


CSO’S  UPCOMING 
EVENTS: 


CSO  Perspectives 
on  Securing  Big  Data 

September  24,  2013 
Los  Angeles,  California 

November  6,  2013 
Dallas,  Texas 

CSO  Perspectives 
on  Defending  Against 
the  Pervasive  Attacker 

September  26,  2013 
Philadelphia, 
Pennsylvania 


PRODUCED  BY 

CSO 


TO  LEARN  MORE 
OR  REGISTER,  VISIT: 

EVENTS.CSOONLINE.COM 


GOLD 


CS040  Security 
Confab  +  Awards 


March  31  -  April  2,  2014 
Atlanta,  Georgia 


Risk 


very  seriously.  They’re  destroying  phones 
after  taking  them  to  hostile  areas  with  known 
malicious  carriers,  they’re  limiting  what  in¬ 
formation  gets  copied  to  the  default  inbox  or 
contact  list  on  devices,  they’re  limiting  what 
applications  can  be  installed  on  devices  that 
have  access  to  enterprise  infrastructure.  As  a 
group,  they’re  still  a  very  small  percentage  of 
organizations,  but  the  numbers  are  growing. 

Unfortunately,  many  organizations  wait 
until  an  incident  happens  and  then  react  to 
the  problem.  That’s  probably  not  the  best 
strategy  when  it  comes  to  assuring  one's 
career  path,  but  it’s  the  state  of  the  industry 
when  it  comes  to  mobile  security  right  now. 

I  think  there  is  a  big  gap  in  knowledge  when 
it  comes  to  really  understanding  the  problem. 
Most  security  managers  have  no  clue  that 
foreign  carriers  have  complete  administra¬ 
tive  control  of  all  devices  that  are  associated 
with  their  network.  They  don’t  understand 


-AARON  TURNER 

how  rogue  towers  can  be  set  up.  They  haven’t 
had  time  to  really  do  comprehensive  threat 
modeling  for  malicious  mobile  applications. 
IntegriCell  and  others  in  the  industry  are  work¬ 
ing  to  bring  these  risks  to  light  and  helping 
organizations  deploy  compensating  controls 
as  fast  as  we  can. 

In  your  presentation,  you  specifically 
referred  to  some  of  the  threats  mobile 
users  are  facing  now  while  traveling  in¬ 
ternationally.  What  are  you  observing? 

There  are  two  major  threat  categories 
when  it  comes  to  international  travel:  the 
malicious  foreign  carrier  and  the  enterprising 
private  mobile  attacker.  These  threats  result 
from  the  fact  that  citizens  of  a  foreign  country 
generally  have  no  rights  to  privacy  and  no  of¬ 
ficial  recourse  if  their  information  gets  stolen 


while  they  are  in  the  foreign  country. 

I  already  spoke  about  how  foreign  carriers 
have  total  control  over  devices  that  are  asso¬ 
ciated  with  their  networks.  Probably  the  most 
alarming  thing  we’ve  seen  happen  in  our  tests 
is  how  foreign  carriers  can  steal  the  crypto¬ 
graphic  seed  values  from  soft-tokens  installed 
on  smartphones.  One  takeaway  I’d  love  to 
get  across  to  all  of  your  readers  is  to  never  let 
soft-tokens  become  a  solution  to  be  relied  on 
for  organizations  that  have  a  large  number  of 
international  travelers. 

The  enterprising  mobile  attacker  is  some¬ 
one  involved  in  a  situation  like  we  found  in 
Mexico.  Imagine  you’re  on  a  cruise  ship.  You 
don’t  want  to  pay  the  exorbitant  Internet  fees 
on  board,  so  you’re  constantly  looking  for  WiFi 
on  shore.  You  get  off  the  ship,  find  a  coffee 
shop  with  great  WiFi,  so  you  connect  your  de¬ 
vice  and  get  your  Internet  fix. 

What  you  don’t  realize  is  that  the  coffee 
shop  owner  has  realized  he 
can  make  more  money  sell¬ 
ing  your  address  book  to 
spearphishers  than  he  could 
ever  make  selling  you  even  his 
most  expensive  latte. 

What  do  you  see  hap¬ 
pening  in  the  next  two  to 
three  years  when  it  comes 
to  mobile  security? 

Things  are  going  to  get 
a  lot  worse  before  they  get  better.  For  ex¬ 
ample,  at  the  CS040  event  I  asked  many  of 
the  attendees  what  they  were  doing  about 
rogue  cell  towers  near  their  critical  facilities 
or  boardrooms.  Outside  of  the  intelligence 
community,  most  organizations  are  wide  open 
when  it  comes  to  mobile  communications 
coming  in  or  heading  out  of  the  building. 

The  complete  focus  of  mobile  network  de¬ 
velopers  on  availability  has  really  driven  some 
fundamental  vulnerabilities  into  the  system. 
For  example,  with  GSM  and  HSDPA  down¬ 
grade  attacks,  nearly  any  phone  can  be  made 
a  slave  to  a  malicious  tower  operator.  It  used 
to  be  that  CDMA  network  devices,  like  those 
offered  by  Sprint  and  Verizon  Wireless,  were 
much  more  resilient  to  such  attacks.  But,  with 
the  advent  of  LTE,  which  is  a  sort  of  strange 


merger  between  CDMA  and  GSM  technologies, 
CDMA  devices  are  inheriting  some  of  the  GSM 
system  vulnerabilities. 

The  lack  of  a  consistent  inventory  of  mobile 
devices  in  sensitive  facilities  can  cause  prob¬ 
lems  as  well.  We  found  one  instance  in  which 
a  4G  data  stick  was  installed  by  a  cleaning 
crew  in  the  back  of  a  computer  sitting  at  the 
desk  of  the  CEO’s  administrative  assistant.  It 
would  burst  out  data  at  2  a.m.  Finding  those 
types  of  unauthorized  devices  is  very  difficult 
without  some  pretty  sophisticated  equipment 
and  operational  discipline. 

The  greatest  challenge,  though,  will  be  the 
continued  innovation  in  the  consumer  mobile 
device  market.  CIOs  have  proven  that  they 
are  not  good  at  helping  mobile  technology 
companies  innovate.  The  checks  that  many 
CIOs  cut  for  BlackBerrys  resulted  in  a  five- 
year  lag  in  enterprise  mobility  compared  to 
consumer  mobility.  The  stock  market  has  very 
obviously  told  mobile  technology  companies 
that  enterprise-grade  mobile  security  just 
doesn't  matter. 

When  a  company  like  Apple,  which  has  a 
disastrous  record  of  security  problems  and 
no  ability  to  integrate  with  security  tools,  has 
such  market  cachet  that  it  can  continue  to 
dominate  sales  and  draw  in  enterprise  cus¬ 
tomers,  things  are  going  to  end  badly.  The 
Android  ecosystem’s  fragmentation  will  be 
its  demise  when  it  comes  to  security.  Black- 
Berry  10  is  probably  the  greatest  evidence  of 
how  far  we’ve  fallen  from  a  mobile  security 
perspective. 

Compensating  controls  will  be  the  norm  for 
enterprises,  because  the  mobile  system  own¬ 
ers  and  OEMs  are  not  providing  the  solutions 
we  need.  So  for  the  next  few  years,  enterpris¬ 
es  will  have  to  deploy  a  host  of  tools  to  com¬ 
pensate  for  the  lack  of  security  on  consumer 
mobile  devices. 

I  see  some  organizations  moving  to  bring- 
your-own-device  (BYOD)  practices  and 
justifying  the  policy  with  the  supposed  cost 
savings.  Once  all  of  the  tools  are  purchased 
and  implemented  to  properly  manage  BYOD 
with  all  the  risk-management  controls,  I 
have  yet  to  see  an  organization  actually  save 
money  and  time  with  BYOD  in  the  long  run. 


“Most  security  managers  have 
no  due  that  foreign  carriers 
have  complete  administrative 
control  of  all  devices  that  are 
associated  with  their  network.” 


16  www.csoonline.com  JULY/AUGUST  2013 


ASIS  2013  IS  SECURITY’S  ULTIMATE  SHOW  &  TELL 

Explore  the  most  innovative  tools  and  solutions  available  today  at  security’s  most  important  show.  Featuring  more  new 
products,  cutting-edge  innovations,  and  smart  security  solutions  than  you  can  imagine,  the  exhibit  hall  will  showcase 
the  latest  offerings  from  700+  companies.  You’ll  have  ample  opportunities  to  compare,  evaluate,  see  demonstrations, 
and  make  solid  connections  along  the  way.  ASIS’  strategic  approach  does  more  than  just  keep  you  ahead  of  the  curve, 
it  gives  you  the  advantage!  Serious  face-time  with  security’s  brightest  professionals  and  solutions  providers — that’s  how 
you  remain  at  the  top  of  your  game. 


REGISTER  FOR  YOUR  FREE*  EXPO  PASS  TODAY!  WWW. 


■ org 


EXPO  Pass  includes  admission  to 
keynotes  and  expanded  learning 
opportunities  on  the  show  floor. 


WEDNESDAY  KEYNOTE 

STEVE  WOZNIAK 


-mr%. 

THURSDAY  KEYNOTE 

JOHN  HOWARD 


ASIS  INTERNATIONAL 

59TH  ANNUAL 

SEMINAR  AND  EXHIBITS 


McCORMICK  PLACE,  CHICAGO,  IL 

For  information  visit  www.asis2013.org  or  call  +1.703.519.6200. 


SEPTEMBER 


■  Risk 


10  Ways  to  Reel  In  Funding  for  Security 


ASK  SOME  CYBERSECURITY  SPECIAL- 
ists  what  their  biggest  challenge  is,  and  you 
will  get  a  variety  of  answers:  strengthening 
network  security,  managing  internal  threats, 
protecting  against  cyber  espionage.  But  if 
you  dig  a  little  deeper,  you  may  be  surprised 
to  learn  that  the  unanimous  pick  for  the  real 
biggest  challenge  they  face  is  simply  getting 
the  funding  necessary  to  implement  a  robust 
security  program. 

There  are  many  resources  available  to  help 
CSOs  and  CIOs  deal  with  the  never-ending 
list  of  threats  that  arise  daily,  and  we  have 
plenty  of  opportunities  to  learn  about  and 
digest  security  best  practices.  However,  little 
information  or  guidance  is  available  on  how 
to  prepare  for  the  dreaded  budget  discussion 
when  new  or  continued  funding  is  necessary 


for  maintaining  a  strong  cybersecurity  posture. 

Having  established  cybersecurity  programs 
in  two  government  organizations-the  Na¬ 
tional  Park  Service  a  few  years  ago  and  now 
at  Los  Angeles  World  Airports-I  have  experi¬ 
enced  a  full  range  of  discussions  with  a  variety 
of  financial  teams.  In  all  cases,  good  commu¬ 
nication  was  the  critical  ingredient  for  success 
and  resulted  in  getting  the  funding,  over  a  pe¬ 
riod  of  years,  that  was  necessary  to  establish 
and  maintain  workable  security  programs. 

Most  budget  requests  are  accompanied 
by  an  ROI  analysis.  This  is  the  language  your 
financial  team  understands  and  is  most  com¬ 
fortable  with.  A  positive  ROI  is  usually  the  dif¬ 
ference  between  a  “yes”  and  a  “no.”  However, 
it’s  difficult  to  quantify  the  ROI  that  supports 
cybersecurity  budget  requests.  Security  ROI 


is  typically  expressed  by  comparing  secu¬ 
rity  investments  with  the  potential  liability 
caused  by  security  breaches.  This  is  similar 
to  calculating  the  financial  benefit  of  insur¬ 
ance  for  physical  assets,  such  as  buildings  and 
equipment. 

To  start  the  budget  discussion,  you  must 
stress  cost  avoidance  rather  than  profits, 
and  you  will  need  hard,  empirical  evidence  to 
back  up  your  description  of  the  business  risks 
and  associated  costs.  Interestingly,  the  specific 
nature  of  the  threat,  while  critical  informa¬ 
tion  for  the  security  team,  is  not  likely  to  mat¬ 
ter  much  to  the  financial  staff.  Their  primary 
concern  is  what  the  financial  impact  on  the 
organization  will  be.  Therefore,  the  best  way  to 
approach  senior  management  with  a  request 
to  fund  your  cybersecurity  program  is  to  explain 


18  www.csoonline.com  JULY/AUGUST  2013 


the  expenditures  in  terms  of  ROI. 

However,  simply  providing  a  well-defined 
ROI  doesn’t  guarantee  success.  There  are  a 
number  of  additional  considerations  to  factor 
in  when  asking  senior  management  and  your 
financial  team  for  funding. 

1  Build  the  foundation  for  security 
funding  before  you  need  it,  and 
once  it’s  built,  keep  it  strong.  If  you 

haven't  established  a  good  working  relation¬ 
ship  with  your  financial  decision-makers,  you 
are  already  behind  the  curve.  It  is  far  better  to 
have  that  relationship  in  advance  of  a  budget 
request.  If  the  first  time  they  see  you,  your 
hand  is  out  looking  for  funding,  your  chances 
of  success  are  drastically  reduced. 

Don’t  use  scare  tactics.  They  may 
work  at  first,  but  eventually,  if  you  are 
successful  in  keeping  your  organization  safe, 
this  tactic  may  backfire.  Your  financial  officer 
will  only  see  that  the  company  provided  fund¬ 
ing  and  nothing  happened. 

3  Establish  your  cybersecurity 
credentials.  It  is  important  for  both 
you  and  your  security  team  members  to  ac¬ 
quire  security  credentials,  such  as  the  Certified 
Information  Systems  Security  Professional 
and  the  Certified  Information  Security  Man¬ 
ager  certifications.  This  gives  your  financial 
team  confidence  that  you  have  the  exper¬ 
tise  to  identify  risks  and  are  able  to  plan  and 
implement  a  security  program  that  adresses 
the  threats  facing  your  organization.  Take  ad¬ 
vantage  of  the  plethora  of  security  seminars, 
webinars  and  magazine  articles  that  provide 
the  most  current  information  on  threats 
and  safeguards.  And  don’t  be  afraid  to  share 
some  of  the  nontechnical  materials  you  come 
across  with  senior  management. 

Show  how  security  threats 
could  affect  the  business.  The 

technical  aspects  of  malware  threats,  hacking 
and  denial-of-service  attacks  will  be  almost 
incomprehensible  to  your  senior  management 
and  financial  decision-makers.  Explaing  how 
the  threats  could  affect  business  operations  is 


far  more  meaningful  to  them.  For  example,  if 
you  rely  on  the  Internet  for  sales  and  you  have 
to  shut  down  your  Web  portal,  the  specific 
cause  is  not  a  priority  to  senior  management. 
The  fact  that  you  had  to  shut  off  your  primary 
business  conduit  is  the  critical  point. 

Outline  the  need  in  plain 
English.  Never  speak  in  technical 
terms  to  senior  management  or  your  finan¬ 
cial  team.  To  establish  a  strong  communi¬ 
cation  channel,  you  need  to  have  two-way 
communication  about  security  issues,  not  a 
one-sided  description  of  technical  challenges. 
To  have  a  two-way  conversation,  you  need  to 
frame  the  discussion  with  language  that  ev¬ 
eryone  can  understand. 

6  Develop  a  plan  that  meets  se¬ 
curity  needs  but  also  considers 
financial  constraints.  When  meet¬ 
ing  with  the  financial  team,  remember  that 
very  few  organizations  are  free  of  financial 
constraints.  It  is  unlikely  that  your  organiza¬ 
tion  has  unlimited  funds.  You  can  show  your 
understanding  of  their  constraints  by  doing  a 
little  research  on  organizational  funding  prac¬ 
tices  and  demonstrating  your  desire  to  make 
reasonable  requests.  They  will  likely  appreci¬ 
ate  your  desire  to  understand  the  constraints 
in  their  job  and  will  be  more  willing  to  help 
you  do  your  job. 

Once  you  get  the  funding, 
follow  the  plan  you  outlined. 

One  of  the  most  important  things  you  can  do 
to  build  trust  with  your  financial  officer  is  to 
use  the  funding  provided  exactly  as  you  said 
you  would  in  your  presentation.  Nothing  re¬ 
duces  the  confidence  in  your  approach  more 
quickly  than  saying  you  need  the  money  for 
one  thing  and  then  spending  it  on  something 
else.  And  if  changes  become  necessary,  con¬ 
sult  with  the  financial  team.  Never  surprise 
them  with  expenditures  for  things  on  which 
they  were  not  previously  briefed. 

8  Provide  constant  feedback  on 
the  security  program.  Bring  the 
financial  team  into  your  world  as  much  as 


possible.  Don’t  wait  until  you  have  an 
emergency  and  need  immediate  funding. 
Continually  provide  information  to  the  finan¬ 
cial  team  regarding  the  state  of  the  cyberse¬ 
curity  world  and  your  organization’s  place  in 
it.  This  can  be  anything  from  a  brief  discussion 
in  the  hallway  to  forwarding  an  email  on  the 
latest  threat. 

9  Use  outside  resources  to 
support  your  request.  If  your 
funding  request  is  met  with  skepticism,  offer 
to  bring  in  an  outside  cybersecurity  expert  to 
perform  an  independent  third-party  analysis 
or  audit.  If  that  doesn’t  work,  bring  in  peers 
from  other  organizations  in  your  industry 
and  have  them  conduct  a  peer  review  of  your 
security  operation.  An  outside  opinion  often 
seems  to  carry  more  weight  than  that  of  in¬ 
ternal  staff. 

Always  emphasize  that 
cybersecurity  is  not  an  IT 
issue— it’s  an  organizational  risk- 
management  issue.  Of  all  the  consider¬ 
ations,  this  is  perhaps  the  most  important. 
Cybersecurity  is  not  only  addressed  through 
the  IT  department,  but  also  through  human 
resources  in  the  form  of  personnel  policies, 
through  your  legal  department  in  the  form  of 
policy  enforcement,  and  through  your  senior 
management  team,  who  do  the  most  ground- 
level  policy  ennforcement  by  always  insisting 
that  their  employees  follow  company  policies 
and  rules,  and  who  may  be  accountable  to 
stakeholders  or  regulatory  organizations  for 
complying  with  laws  and  other  mandates.  In  a 
distributed  environment,  you  are  likely  to  have 
numerous  parts  of  the  organization  continu¬ 
ally  adding  and  modifying  new  technologies, 
all  of  which  can  cause  changes  to  your  overall 
security  posture. 

Senior  management  and  your  financial 
decision-makers  understand  risk  and  dollars. 
Establishing  good  communication  and  main¬ 
taining  it  is  critical  to  receiving  the  funding 
necessary  to  implement  and  maintain  a  sound 
cybersecurity  program. 

-Dominic  Nessi  is  the  CIO  for  Los  Angeles 

World  Airports. 


JULY/AUGUST  2013  www.csoonline.com  19 


LEADERSHIP 


STRATEGY 


MANAGEMENT 


SKILLS 


CAREER 


Why  Awareness  Gets  No  Respect 

Many  CSOs  and  their  teams  ignore  the  problems  with  security  awareness,  and  that  puts  users  at  risk 

BY  GEORDIE  STEWART 


THE  WAY  AWARENESS  PRACTITIO- 
ners  have  been  criticizing  security  aware¬ 
ness  lately  has  been  fascinating.  In  a 
CSO  article  called  “Why  You  Shouldn't 
Train  Employees  for  Security  Awareness," 
Immunity’s  Dave  Aitel  outlines  reasons 
that  he  thinks  money  spent  on  security 
awareness  is  money  wasted.  That  article 
has  drawn  several  responses,  including  a 
rebuttal  from  Secure  Mentem  President 
Ira  Winkler  called  “Security  Awareness 
Can  be  the  Most  Cost-Effective  Security 
Measure.”  Others  have  also  attempted  to 
explain  that  bad  security  awareness  tech¬ 
niques  are  all  in  the  past.  However,  in  the 
scramble  to  pick  holes  in  awareness  train¬ 
ing,  critics  have  missed  key  points. 

In  his  blog,  Schneier  on  Security,  Bruce 
Schneier  says  security  awareness  is  gener¬ 
ally  a  waste  of  time.  Since  most  security 
pros  think  awareness  campaigns  are 
about  locking  people  in  a  room  for  an  hour 
and  putting  up  a  few  posters,  Schneier  is 
probably  right. 

At  the  heart  of  this  debate  is  a  fundamen¬ 
tal  question:  While  many  would  agree  that 
information  security  awareness  techniques 
need  to  improve,  are  we  talking  about  a  few 
tweaks  or  a  complete  overhaul?  If  security 
awareness  is  all  about  changing  behavior, 
then  why  don’t  security  awareness  tools  and 
processes  look  anything  like  those  in  other, 
more  mature  industries  that  take  behavioral 
change  seriously? 

Compared  to  other  industries,  the  informa¬ 
tion  security  awareness  approach  to  behav¬ 


ioral  influence  is  an  embarrassingly  amateur 
affair.  In  fields  such  as  public  health  and  mar¬ 
keting,  experts  have  spent  decades  studying 
behavioral  influence,  testing  their  assumptions 
and  making  systematic  improvements  to  their 
methods.  The  approach  in  these  fields  has  led 
to  a  heavy  emphasis  on  audience  research. 
Why  did  you  buy  that  particular  product  and 
not  another?  What  thought  processes  were 
you  following  when  you  plugged  that  in?  They 
go  beyond  the  "what”  of  behavior  and  seek  to 
understand  the  “why.”  In  contrast,  information 
security  professionals  persist  with  the  delu¬ 
sion  that  they  can  manage  the  “what”  without 
understanding  the  “why.” 


There  are  many  ways  to  understand  the 
“why”  of  an  audience.  Web  designers  com¬ 
monly  use  personas.  Safety  risk  communica¬ 
tors  have  mental  models.  Information  security 
folk  models  have  also  been  proposed.  The 
reality  is  that  people  have  rules  of  thumb 
that  they  use  to  make  decisions,  such  as:  Is 
it  growling  and  showing  its  teeth?  Then  I’m 
not  going  to  pet  it.  Folk  models  are  just  a 
way  of  standardizing  these  decision-making 
processes. 

Generally,  people’s  rules  of  thumb  are  ade¬ 
quate.  When  they  go  wrong,  the  information 
security  tendency  is  to  bombard  an  audience 
with  facts,  which  is  an  extraordinarily  inef- 


20  www.csoonline.com  JULY/AUGUST  2013 


Thinkstock 


cso 

40 

AWARDS 


2014 


Call  for 

Entries 


SECURITY  MEANS  BUSINESS 


The  best  security  projects  create  opportunities  for 
business  growth-entering  new  markets,  operating 
more  efficiently,  prioritizing  resources  and  fostering 
organizational  agility. 

In  its  second  year,  the  CS040  Awards  will  recognize  40 
security  initiatives  for  outstanding  business  contributions. 
Whether  it’s  a  new  system,  new  processes,  or  a  novel 
organizational  approach,  we  want  to  know  about  your  best 
work,  and  how  you  measured  its  value  to  the  enterprise. 

Nominations  will  be  judged  by  a  panel  of  veteran  security  leaders 
and  industry  experts,  working  together  with  CSO’ s  editors. 

APPLY  TODAY  AT  WWW.CSOCONFAB.COM/2014AWARDS 

CS040  Award  honorees  will  be  recognized  at  the  CS040  Security  * 

Confab  +  Awards  event,  March  31-April  2, 2014  at  the  Chateau  Elan  fl 

Resort  outside  Atlanta,  GA.  This  event  is  security  leaders’  best 
forum  for  networking  and  exchanging  ideas  that  work. 


CSO 

40 

AWARDS 


2014 

® 


DON’T  BE  LATE1  THE  deadline  for  nominations 

IS  SEPTEMBER  16, 2013! 


PRODUCED  BY 


Lead 


ficient  approach.  Some  facts  are  more 
important  than  others,  and  we  need  to 
identify  the  “fulcrum  facts”  on  which 
decisions  hinge  rather  than  blindly 
teaching  the  topic. 

Often,  problem  behaviors  can  be 
traced  to  a  single  mistaken  percep¬ 
tion.  A  good  example  of  an  assump¬ 
tion  that  leads  to  a  whole  range  of 
problematic  behaviors  is  the  belief  that 
hackers  don’t  target  small  businesses. 
Information  security  professionals  have 
been  guilty  of  naive  realism,  where 
we  assume  that  our  way  of  looking  at 
problems  is  the  only  correct  one.  Despite 
our  good  intentions,  our  efforts  will  be 
hit-or-miss  if  we  don’t  understand  our 
audience’s  view  of  the  world. 

The  cost  of  our  mistaken  approaches 
to  security  awareness  cannot  be  overes¬ 
timated.  How  much  has  been  spent  on 
the  password  complexity  topic  alone? 
This  problem  could  have  been  solved 
by  system  design  but  instead  we’ve  set 
ourselves  the  goal  of  trying  to  teach 
every  last  user.  The  crazy  world  of  infor- 


“crash  plane"  button  on  the  dashboard 
and  then  spend  years  training  people 
not  to  press  it. 

Is  it  a  good  idea  to  manage  human 
risks?  Yes,  absolutely.  Influencing  user 
security  behavior  is  a  very  important 
part  of  any  organization’s  defense  in 
depth.  However,  it’s  about  time  we 
dropped  the  enthusiastic  amateur 
approach.  Sure,  information  secu¬ 
rity  awareness  has  had  its  handicaps, 
not  least  a  mistaken  perception  that 
changing  behavior  is  easy.  But  until  we 
acknowledge  that  a  better  understand¬ 
ing  of  user  behavior  is  needed,  and  that 
it's  not  efficient  to  use  awareness  to 
cover  up  poor  security  design,  then  it's 
the  users  who  will  suffer. 

It’s  likely  that  due  to  the  mix  of 
specialist  skills  involved,  there’s  an 
increasing  role  for  information  security 
awareness  marketing  agencies  with 
experts  in  communications  and  behav¬ 
ioral  influence.  This  is  very  different 
from  where  we  are  now,  where  security 
awareness  is  widely  seen  as  an  IT  job 


Information  security  professionals  have 
been  guilty  of  naive  realism,  where 
we  assume  that  our  way  of  looking 
at  problems  is  the  only  correct  one. 


SOCIAL  SECURITY 


INDUSTRY  CHATTER  ON  TWITTER 

Over  800,000  people 
in  the  U.S.  intelligence 
community  have  a  Top 
Secret  clearance.  For 
comparison:  Google  has 
50,000  employees. 

-Mikko  Hypponen  @mikko 


It  always  gets  me 
excited  when  a 
customer  is  actually 
excited  for  a  pen  test. 

-Gillis  Jones  @Gillis57 

Remember  back  in 
2009  when  many 
people  changed  their 
Twitter  location  to 
“Iran”  in  order  to  show 
solidarity  with  protests? 
NSA  says  thanks. 


mation  security  is  such  that  Schneier 
was  criticized  for  pointing  this  out. 

Safety  professionals  would  be 
shocked  at  our  endemic  complacency 
where  high-risk  functions  with  no  busi¬ 
ness  benefits  exist  on  our  systems  with 
the  potential  for  catastrophic  failure. 
Why  do  we  allow  users  and  adminis¬ 
trators  to  perform  unsafe  acts  such  as 
selecting  passwords  like  “Passwordl”? 
Next  time  you  get  on  a  plane,  consider 
the  effort  that’s  been  made  to  system¬ 
atically  design  out  risk  in  areas  such  as 
pilot  training  and  cockpit  ergonomics. 

If  security  professionals  designed  an 
aircraft  cockpit,  they  would  include  a 


that  requires  no  particular  communica¬ 
tion  skills. 

Is  it  true  that  security  awareness  has 
allowed  inefficiencies  by  compensat¬ 
ing  for  bad  design?  Yes.  Is  there  room 
to  improve  mainstream  awareness 
techniques?  Absolutely.  Should  security 
awareness  be  performed  with  a  much 
better  understanding  of  the  audience? 
Definitely.  Will  you  hear  most  awareness 
professionals  admit  it?  Apparently  not. 


■  Geordie  Stewart  is  a  regular  secu¬ 
rity  awareness  columnist  for  the  Infor¬ 
mation  Security  Systems  Association 
Journal. 


-Christopher  Soghoian 

@csoghoian 


Sometimes  I  come 
across  an  excellent 
paper  or  presentation 
that  describes  modern 
security  reality  wetl¬ 
and  then  I  notice  it  is 
from  2001 

-Dr.  Anton  Chuvakin 

@anton_chuvakin 


22  www.csoonline.com  JULY/AUGUST  2013 


CSO's  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


[7j  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  three  times  a  week. 

CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

CSO  Security  Leader 

Biweekly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[71  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

[7|  CSO  Risk  Management 

A  monthly  roundup  of  strategies  and  tools  for  accurate  measurement  and 
prioritization  of  risks. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


CSO 

BUSINESS  RISK  LEADERSHIP 


Lead 


Why  You  Need  a  Security  Buddy 
(And  How  to  Find  One) 


AT  A  SCHOOL  EVENT,  I  NOTICED  MY  SON  SITTING  AND 
talking  with  a  younger  boy.  When  I  asked  who  he  was,  my  son 
explained,  “He’s  my  kinder  buddy!” 

He  revealed  that  the  school  has  a  program  that  purposefully  mixes 
older  students  with  younger  students  to  improve  reading  skills.  The  pair 
work  together  to  select  a  topic  of  mutual  interest,  pick  out  a  book,  read 
together,  and  then  have  time  to  “work”  and  play  together. 

The  teachers  rave  about  the  program.  The  older  students  take  the 
program  seriously.  They  get  excited  to  guide  another  student  to  pick 
out  and  read  books.  They  don’t  even  realize  their  reading  skills  are 
being  improved  by  the  process.  The  younger  students  are  thrilled  to 
have  someone  “just  like  them”  to  work  with.  Both  students  benefit 
while  having  fun. 

In  my  view,  this  program  does  more,  too.  Older  chil¬ 
dren  are  exposed  to  the  process  of  teaching  younger 
children;  as  a  result,  the  older  children  come  away 
with  new  insights...and  more  questions.  Younger 
children  learn  differently  from  children  a  few  years 
older  (peers)  than  they  do  from  teachers  (author¬ 
ity);  this  blend  allows  the  children  to  work  in  a  shared 
context  and  experience  that  increases  relevance  for 
both.  Finally,  as  I  witnessed,  the  kids  form  friendships 
and  are  able  to  "network”  through  the  school;  admit¬ 
tedly,  they  don’t  see  it  as  networking  in  the  busi¬ 
ness  sense,  but  it  builds  a  school  of  stronger  personal 
relationships. 

Applying  the  same  approach  to  the  business  world, 
with  some  slight  changes,  could  bring  similar  benefits. 

Who  is  your  security  buddy? 

The  school  program  pairs  older  students  gaining  confidence  in  reading 
with  younger  students  learning  to  read.  When  applied  to  security,  the 
focus  shifts  from  age  to  experience.  Not  more  or  less  experience,  but 
different  experience. 

It  means  security  professionals  pair  up  with  a  non-security  person- 
a  professional  in  some  other  aspect  of  the  business.  Two  profession¬ 
als  working  together  allows  each  to  learn  about  the  other.  Security 
shares-this  forces  security  professionals  to  explain  what  they  do  in  a 
way  that  makes  sense  to  others.  Security  learns  from  other  depart¬ 
ments,  and  as  a  result,  both  sides  learn  how  to  do  their  jobs  better. 

At  the  same  time,  security  professionals  establish  personal,  profes¬ 
sional  relationships  and  friendships  across  the  organization.  Real  con¬ 
nections  with  real  people  that  work  to  improve  communication  and 
reduce  risk  across  the  enterprise. 


How  do  you  find  a  buddy?  The  shadow  knows... 

One  of  the  easiest  ways  to  find  a  security  buddy  and  build  a  successful 
relationship  is  to  start  with  shadowing. 

Consider  one  of  the  following  approaches  and  pick  someone: 

■  Who  has  a  role  in  a  complimentary  business  function-marketing, 
sales,  or  another  department  that  could  offer  direct  benefit-and 
who’s  willing  to  participate  and  share 

■  Who  works  in  an  area  you  don’t  currently  understand,  but  want  to- 
maybe  it's  a  real  challenge  that  comes  with  the  real  benefit  of  expe¬ 
riencing  some  confusion  at  the  words  used  and  concepts  discussed. 

■  Who  comes  from  a  group  or  department  that  appears  to  resist 
security-learning  about  their  experience  and  operations  firsthand 
allows  you  to  build  bridges  and  offer  the  right  security  solutions. 

The  key  is  finding  and  partnering 
with  someone  curious  about  security 
and  able  to  teach  the  elements  of 
what  they  do.  This  works  across  the 
business,  including  with  development, 
marketing  and  sales.  In  fact,  security 
professionals  focused  on  security 
awareness  should  make  an  effort  to 
seek  out  a  marketing  or  sales  buddy. 

Build  a  mutually 
beneficial  program 

Calling  it  a  buddy  program  could 
work,  or  it  might  be  foolish.  The  name 
is  not  as  important  as  the  program. 
Choose  the  right  name  to  drive  the  right  results. 

Set  the  expectation  that  the  goal  is  to  learn  as  much  as  it  is  to  share 
and  explore  (like  teaching,  but  less  formal).  Seek  a  partner  equally 
willing  to  participate.  Find  someone  prepared  to  reveal  candid  insights, 
challenges,  and  opportunities. 

Find  out  what  others  want  to  learn  about.  Then  explore  and  prac¬ 
tice  ways  to  make  the  information  accessible.  Learn  enough  from  the 
other  person  to  bring  security  concepts  to  life  in  their  world,  using  their 
words.  In  the  process,  learn  more  about  how  to  ease  security  into  the 
business. 

Finding  a  security  partner  is  educational.  It  creates  friendships.  It  is 
a  sure  way  to  build  a  better  security  team.  If  you  get  stuck,  send  me  a 
note.  Together  we  can  make  it  work. 


■  Michael  Santarcangelo  is  the  founder  of  Security  Catalyst,  a  prac¬ 
tice  devoted  to  harnessing  the  human  side  of  security. 


24  1v1vw.csoonHne.com  JULY/AUGUST  2013 


an  enterprise  risk  management 
program. 

Establish  a  joint  threat 
heat  map.  Start  by  meeting 
with  the  head  of  your  of  informa¬ 
tion  security  team  to  discuss  the 
creation  of  a  joint  threat  heat 
map  and  the  benefits  of  submit¬ 
ting  it  to  the  board  of  directors. 

The  threat  environment  is 
only  getting  more  complex- 
data  loss,  workplace  violence, 
advanced  persistent  threats, 
natural  disasters,  data  breaches, 
civil  unrest,  supply  chain  prob¬ 
lems,  terrorism,  facility  prob¬ 
lems,  and  so  on.  Plotting  these 
risks  on  a  likelihood  and  impact 
matrix  enables  you  to  prioritize 
the  threats.  Once  you  have  this 
map,  it  becomes  an  easy  way  to 
bring  in  other  risk  partners  to  add  their  view  of 
integrated  threats  because  the  interaction  is 
focused  on  a  work  product. 

Compare  your  progress  with  peer 
companies  to  collect  best  practices. 


5  Ways  to  Build  a  Collaborative 
Risk-Management  Program 


HOW  DO  YOU  GET  A  HANDLE  ON  THE 
enterprise  risks  in  a  corporation  where  the 
risk-management  functions  are  spread 
among  different  departments-general  coun¬ 
sel,  finance,  technology,  facilities?  How  do  you 
define  the  participating  functions? 

Yes,  the  ideal  situation  is  having  these 
groups  housed  under  a  chief  risk  officer  or 
head  of  operational  risk,  but  if  that’s  not  the 
case  and  you  can’t  restructure  the  organiza¬ 
tion,  here  are  some  tips  for  coping. 

Be  a  leader  in  conversations  with 
risk  partners.  The  most  successful  global 
security  teams  that  I  have  been  a  part  of  were 
always  working  on  collaboration  and  outreach 
to  risk  partners  to  pave  the  way  for  informa¬ 
tion  sharing.  Yes,  there  was  the  risk  of  the 
information  flow  being  one-way,  and  this  is 
usually  the  case  at  the  beginning,  but  as  the 
interaction  continues,  the  information  flow 
gradually  starts  to  go  both  ways. 

Conduct  joint  awareness  pro¬ 
grams.  As  part  of  your  doing-more-with- 
less  strategy,  look  for  opportunities  to  work 


together  on  joint  awareness  programs. 

For  example,  most  employees  at  a  com¬ 
pany  don’t  separate  physical  security  from 
information  security;  security  is  security.  There¬ 
fore,  jointly  working  on  a  security-awareness 
program  often  leads  to  greater  collaboration. 
Start  with  the  new-hire  orientation.  Also,  par¬ 
ticipating  in  a  wider  program  for  annual  com¬ 
pliance  training  is  an  easy  win. 

Capitalize  on  low-hanging  fruit. 
Reach  out  to  the  heads  of  risk  management 
functions  to  ascertain  their  interest  in  partici¬ 
pating  in  an  informal  working  group  to  share 
information  and  priorities  on  a  quarterly  basis. 

Gain  buy-in  from  one  other  risk  partner  and 
approach  the  other  heads  of  the  risk-manage¬ 
ment  organization  together.  Establish  ground 
rules  of  participation  around  confidentiality. 
Survey  the  heads  of  the  functions  on  the  gaps 
or  threats  they  are  most  concerned  with. 

Taking  the  lead  here  will  solidify  you  as  a 
leader  and  influencer  in  the  group.  Over  time, 
the  group  will  be  persuaded  of  the  benefits 
of  formalizing  its  decisions  and  processes  into 


Understanding  what  your  counterparts  are 
doing  can  be  a  compelling  tool  to  help  you 
garner  support  for  cross-functional  collabo¬ 
ration,  not  only  among  participants  but  also 
from  senior  sponsors. 

Once  support  for  the  cross-functional 
group  is  built,  then  gather  the  participants  to 
create  a  purpose,  charter,  scope  and  rules  of 
engagement  and  objectives.  That  way,  it  is 
completely  transparent  why  the  group  exists 
and  what  it  is  trying  to  do.  These  foundation 
documents  should  be  available  in  an  elec¬ 
tronic  format  to  every  participant. 

Establishing  greater  collaboration  has  been 
an  uphill  battle  in  an  industry  with  a  reputation 
for  being  the  group  of  “no."  More  global  security 
leaders  initiating  increased  partnerships  will 
help  change  this  reputation  while  serving  our 
internal  customers  more  effectively. 


■  Natalie  Runyon  is  the  director  of  secu¬ 
rity  of  the  Americas  at  Thomson  Reuters,  a 
security  leadership  expert  and  a  women’s 
leadership  strategist  based  in  New  York  City. 


July/August  2013  www.csoonline.com  25 


Cover  Story 


NEW  IDEAS 


Enterprise  risk  management  may  be 
old  hat,  but  some  CSOs  are  using  it  in 
innovative  ways.  Here’s  how  it  can  bring 
your  security  program  into  the  future. 

By  Taylor  Armerding 


26  www.csoonline.com  JULY/AUGUST  2013 


Jason  Schneider 


m 


Cover  Story 


nterprise  risk  management  (ERM)  is  hardly  new.  Eric 
Cowperthwaite,  CISO  at  the  nonprofit  healthcare  organization 
Providence  Health  and  Services,  recalls  hearing  the  term  for  the 
first  time  in  the  late  1990s,  “and  it  existed  before  then,  even  if 
we  didn’t  call  it  that,”  he  says. 


Indeed,  the  term  goes  back  several  decades,  accord¬ 
ing  to  Jeff  Spivey,  who’s  vice  president  at  RisklQ,  presi¬ 
dent  at  Security  Risk  Management,  and  international 
vice  president  of  ISACA.  “My  father  was  involved  in 
risk  management  beginning  in  1968,”  he  says.  “What 
was  then  called  ‘risk  management’  is  now  called  ‘en¬ 
terprise  risk  management.’” 

John  Shortreed,  a  member  of  the  International  Or- 
ganizationfor  Standards,  which  developed  ISO  31000, 
one  of  the  most  prominent  frameworks  for  ERM,  says 
the  framework  has  been  “evolving  and  maturing  over 
the  last  decade,  in  response  to  the  increasing  risks  [in] 
our  world”  brought  on  by  such  varied  factors  as  inter¬ 
connectivity,  climate  change  and  economic  upheaval. 

But  after  all  that  evolution,  it  is  still  not  close  to  being 
standard  operating  procedure  in  most  enterprises. 
According  to  a  2012  customer  survey  by  the  Corpo¬ 
rate  Executive  Board,  70  percent  of  respondents  did 
not  have  a  formal  risk- appetite  approach  in  place.  Risk 
appetite  is  one  of  the  fundamentals  of  ERM. 

Cowperthwaite  is  not  surprised  at  those  results.  “My 
perspective  is  that  most  security  practices  are  foun- 
dationally  compliance  driven,  even  if  they  have  a  risk 
component,”  he  says. 

“The  thinking  of  most  CSOs  is,  ‘There  is  some  num¬ 
ber  of  things  I’m  required  to  do.  When  I  do  them,  I  have 
a  security  program.’” 

That  doesn’t  mean  nobody  is  doing  ERM,  he  adds. 


“I  could  name  a  dozen  CSOs  who  are 
really  involved  in  their  businesses 
and  doing  great  ERM.  But  I  could  also 
name  more  than  a  dozen  who  are 
basically  just  keeping  in  compliance¬ 
keeping  the  firewalls  in  place.” 

-ERIC  COWPERTHWAITE,  CISO,  PROVIDENCE  HEALTH  AND  SERVICES 


“I  could  name  a  dozen  CSOs  who  are  really  involved 
in  their  businesses  and  doing  great  ERM,”  he  says, 
“but  I  could  also  name  more  than  a  dozen  who  are  basi¬ 
cally  just  keeping  in  compliance— keeping  the  firewalls 
in  place.  I  think  if  we  were  to  survey  the  industry 
as  a  whole,  we’d  find  the  20-80  paradigm,  where 
only  about  20  percent  really  understand  what  their 
business  is  about  so  they  can  make  the  case  for  man¬ 
aging  risk.” 

Not  everybody  thinks  the  divide  is  that  great  be¬ 
tween  those  practicing  ERM  and  those  focused  on 
compliance — often  derisively  called  “checking-the- 
box  security.”  Chris  Wysopal,  co-founder,  CTO  and 
CISO  of  Veracode,  says  he  is  seeing  more  of  his  secu¬ 
rity  peers  “performing  threat  modeling  based  on  the 
way  their  business  works  and  what  is  going  on  in  the 
threat  space.” 

In  at  least  one  sector  of  the  economy — finance — 
there  is  strong  evidence  of  risk  management  taking 
hold.  The  Wall  Street  Journal  reported  in  October  2010 
on  a  Deloitte  survey  of  ill  financial  institutions  that 
found  75  percent  of  them  had  a  chief  risk  officer  or  an 
equivalent  position,  which  is  one  of  the  core  compo¬ 
nents  of  most  ERM  frameworks. 

John  McClurg,  vice  president  and  CSO  of  Dell,  says 
in  recent  years  he  has  seen  a  lot  of  evidence  of  ERM 
in  Fortune  100-level  companies,  “but  not  so  much  in 
smaller  companies,  and  that  is  the  majority  of  busi¬ 
nesses  in  the  country.” 

William  Mabon,  director 
of  the  cybersecurity  prod¬ 
uct  portfolio  for  BAE  Sys¬ 
tems,  is  among  those  who 
are  not  involved  in  ERM. 
He  says  that  while  he  and 
his  firm’s  clients,  which  are 
mostly  in  government,  are 
very  focused  on  protecting 
data,  “as  opposed  to  going 
through  exercises  that  are 
designed  to  pass  through 
audits,”  he  does  not  hear 
much  talk  about  ERM  with 


28  www. csoonline.com  July/August  2013 


Jason  Schneider 


those  clients.  “It  is  not  a  buzzword  that  we’re  living 
and  breathing  every  day,”  he  says. 

Cowperthwaite  believes  the  stumbling  block  is  not 
a  lack  of  understanding,  but  rather  an  all-too-clear 
understanding  of  how  hard  ERM  is  to  do.  “If  you  do 
qualitative  risk  management,  it  leaves  an  amazing 
amount  of  room  for  people  to  argue,”  he  says.  “When  I 
say  something  is  a  high-risk,  the  CEO  might  look  at  me 
and  say,  “  [An  impending  merger]  is  high  risk— what 
you’re  talking  about  is  moderate.’” 

But  then,  some  experts  say  ERM  is  not  the  way  to  go 
anyway.  Douglas  Hubbard,  CEO  of  Hubbard  Decision 
Research,  even  wrote  a  book  about  it —The  Failure  of 
Risk  Management— in  which  he  poses  three  questions: 
Do  these  risk-management  methods  work?  Would  any 
organization  that  uses  these  techniques  know  if  they 
didn’t  work?  What  would  happen  if  they  didn’t  work? 

Hubbard  argues  that  the  answer  to  the  first  two 
questions  is  “no,”  and  that  the  answer  to  the  third  is 
that  there  could  be  catastrophic  consequences  for  a 
company  or  its  customers. 

Richard  Stiennon,  chief  research  analyst  at  IT-Har- 


vest,  contends  that  ERM  simply  doesn’t  work.  In  a 
recent  Facebook  post,  he  proposed  the  following  title 
for  a  course  on  ERM  that  he  was  about  to  teach  at  the 
National  Defense  University:  “No  one  ever  got  fired 
for  implementing  a  risk-management  program— but 
they  should  be.” 

Stiennon  says  that  “as  an  industry  analyst  and  ad¬ 
viser  to  some  of  the  largest  organizations  in  the  world, 
I  have  seen  them  start  to  move  away  from  risk  manage¬ 
ment  to  threat  management.” 

Francis  Cianfrocca,  CEO  of  Bayshore  Networks, 
agrees.  “With  risk-management  best  practices,  you’re 
not  really  protecting  yourself.  Enterprises  need  pro¬ 
tection  rather  than  risk  management.” 

Of  course,  advocates  of  ERM  contend  that  it  is  all 
about  protection— evaluating  what  kind  of  protection 
is  needed  based  on  the  kind  of  risk  and  the  amount  of 
damage  it  could  do  to  an  organization. 

So  maybe  before  we  can  discuss  the  progress  and 
even  worthiness  of  ERM,  we  need  to  refresh  every¬ 
one  on  what  the  definition  of  ERM  is  and  what  some 
of  its  core  goals  are.  Most  CSOs  would  agree  with 


JULY/AUGUST  2013  www.csoonline.com 


29 


Cover  Story 


Spivey  that  it  starts  with  a  holistic  view  of  all  risk  that 
an  organization  may  be  exposed  to,  including  opera¬ 
tional,  brand,  financial,  physical  and,  of  course,  infor¬ 
mation  security. 

They  also  agree  with  what  shows  up  in  multiple 
frameworks  and  advice  columns  on  the  topic:  The 
overall  goal  is  to  manage  that  risk  in  a  way  that  pro¬ 
vides  value  to  the  company.  Or,  as  Cowperthwaite 
puts  it,  security  professionals  should  “learn  what 
your  business  does.  Go  talk  to  a  business-unit  person. 
He’s  going  to  think  that’s  pretty  cool  because  no  se¬ 
curity  guy  has  ever  done  that  before.  Then  you  can 
connect  what  you  do  to  what  the  business  does  in 
meaningful  ways.” 

Within  that  overall  mission  are  a  number  of  specific 
goals  common  to  most  of  the  frameworks  designed  to 
help  enterprises  implement  ERM.  They  include: 

Get  rid  of  silos  in  dealing  with  risks:  Traditionally, 
businesses  have  had  separate  monitoring  groups  for 
risks  involving  credit,  physical  security,  loss  preven¬ 
tion,  fraud  prevention,  information  security,  business 
continuity,  safety,  compliance  and  audit.  If  all  divi¬ 
sions  and  departments  in  an  enterprise  are  not  con¬ 
nected  and  communicating,  holistic  risk- management 
is  impossible. 

Define  and  balance  risk  appetite:  it  is  difficult  to  set 
business  security  controls  without  a  clear  understand¬ 
ing  of  how  much  and  what  kind  of  risk  the  company 


be  remembered  with  the  acronym  REITA:  Reduce  it 
(with  controls,  for  example);  Ignore  it;  Eliminate  it; 
Transfer  it  (by  buying  insurance,  for  example);  or 
Accept  it  (which  is  not  the  same  as  ignoring  it).  The 
goal  here  is  to  make  informed  choices  by  looking  at 
risks  across  the  enterprise,  rather  than  by  department 
or  function. 

Implement  effective  controls  in  response  to  risk: 

Obviously  these  are  a  natural  result  of  the  choices 
made  during  the  REITA  assessment. 

Achieve  objectives  at  lower  cost:  One  of  the  most 
common  recommendations  here  is  that  consolidating 
risk  management  will  mean  it  requires  fewer  people. 
ERM  proponents  also  argue  that  setting  priorities  can 
help  an  enterprise  cut  its  risk-management  costs. 

Ensure  appropriate  and  timely  involvement  of 
stakeholders:  This  includes  company  leadership,  staff, 
customers,  stockholders  and  business  partners. 

Be  responsive  to  internal  and  external  change: 
Any  ERM  program,  to  be  effective,  must  be  nimble 
enough  to  respond  quickly  to  emerging  threats  or  new 
vulnerabilities. 

Where,  then,  are  CSOs  and  CISOs  succeeding  or 
failing  in  reaching  ERM  goals? 

McClurg  says  he  believes  ERM  has  led  to  “more 
thoughtful,  deliberative  decisions”  about  handling 
risk,  and  that  security  pros,  especially  at  the  larger, 
Fortune  100-size  companies,  are  moving  away  from 


“With  risk-management  best  practices,  you’re 
not  really  protecting  yourself.  Enterprises  need 
protection  rather  than  risk  management.” 

-FRANCIS  CIANFROCCA,  CEO,  BAYSHORE  NETWORKS 


is  willing  to  accept.  “People  have  different  risk  appe¬ 
tites  based  on  role  and  responsibility,”  says  Jonny  Gray, 
head  of  global  client  risk  services  for  the  Americas  at 
Control  Risks.  “Legal  has  a  different  appetite  than  the 
business  developers  do.” 

Enable  the  business:  This  includes  the  frequent 
exhortation  to  risk  managers  to  “create  and  protect 
value.”  Again,  this  is  only  possible  with  an  understand¬ 
ing  of  how  a  business  makes  money  and  what  risks 
would  undermine  it. 

Help  decision-makers  make  informed  choices  and 
risk-response  decisions:  Most  frameworks  recom¬ 
mend  five  options  for  dealing  with  risk,  which  can 


“guns,  gates  and  guards.  It’s  not  security  as  much  as 
business  assurance.” 

But,  he  says,  that  progress  has  been  matched  or  even 
exceeded  by  attackers.  “The  threat  vectors  are  more 
sophisticated— bad  guys  have  gotten  better,”  he  says. 

Erik  Devine,  CSO  of  Riverside  Medical  Center,  says 
one  of  the  biggest  ERM  successes  in  his  organization 
has  been  “finding  avenues  in  technology  to  secure  in¬ 
formation  at  a  lower  cost.” 

The  biggest  challenge,  he  says,  has  been  trying  to 
integrate  information  security  into  the  goals  of  the 
corporation,  “including  patient  care,  financial,  com¬ 
pliance  and  patient  information.  I’m  finding  many 


30  www.csoonline.com  JULY/AUGUST  2013 


challenges  on  changing  a  philosophy  that  has  been  in 
place  for  quite  some  time.” 

Devine  says  he  also  struggles  with  controlling  the 
risks  of  a  bring-your-own-device  (BYOD)  culture  and 
how  it  can  lead  to  unauthorized  data  leakage,  espe¬ 
cially  in  an  era  when  federal  laws,  including  HIPAA 
and  the  Health  Information  Technology  for  Economic 
and  Clinical  Health  Act  have  made  medical  institu¬ 
tions  more  directly  responsible  for  any  breaches  of 
protected  health  information. 

Wysopal  says  he  thinks  security  teams  are  doing 
better  at  identifying  attackers  and  their  techniques, 
which  lets  them  set  priorities  on  what  kind  of  defens¬ 
es  they  need.  But  “patching  the  desktop  to  mitigate 
spearphishing  remains  a  challenge,”  he  says. 

“Many  CSOs  are  struggling  with  Web  application 
security  also.  They  are  able  to  cover  high-risk  apps 
because  the  business  can  see  the  risk,  but  often  lower- 
risk  marketing-type  Web  applications  go  unsecured 
and  can  lead  to  breaches.” 

Stiennon  says  that  the  results  of  ERM  development 
and  maturity  at  many  enterprises  is  proof  of  its  fail¬ 
ure.  “Risk-management  methodologies  have  been  de¬ 
ployed  at  most  large  enterprises  and  have  reached  a 
high  level  of  maturity.  Yet  breaches  and  successful  tar¬ 
geted  attacks  are  becoming  more  frequent  and  of  high¬ 
er  impact.  Clearly,  risk  management  is  not  working.” 

Stiennon  further  argues  that  terms  like  “risk  appe¬ 
tite,”  which  have  some  meaning  in  financial  markets, 
really  don’t  mean  anything  in  IT  security. 

“There  is  no  20  percent  willingness  to  lose  10  per¬ 
cent  of  our  assets,”  he  says.  “The  real  mandate  is  to 
avoid  costly  data  losses.  In  practice  this  means  risk 
management  methodologies  that  loosely  translate 
into  ‘protect  everything,’  which  is  demonstrably  im¬ 
possible.  But  risk  managers,  even  if  they  agree  that 
their  end  goal  is  impossible,  argue  that  doing  50  per¬ 
cent  of  this  will  reduce  attack  surface  area,  so  it  is 
worth  doing.” 

Regarding  cutting  costs,  Stiennon  insists  it  never 
happens.  “Risk  management  is  extremely  costly.  It 
usually  involves  an  expensive  team  of  professionals. 
None  of  their  activities  are  directed  at  stopping  tar¬ 
geted  attacks  that  bypass  their  controls.” 

And  when  it  comes  to  enabling  the  business,  Stien¬ 
non  argues  that  success  in  that  area  “can  dangerously 
enable  it.  The  credit  card  companies,  in  concert  with 
the  U.S.  banks,  used  risk  management  to  determine 
that  the  risks  associated  with  banking  credential  theft 
was  low  and  allowed  an  entire  economy  of  cybercrimi¬ 
nals  to  crop  up,”  he  says. 


What,  then,  is  the  best  way  for  today’s  CSOs  and 
CISOs  to  move  forward? 

There  is  plenty  of  advice  on  that  front.  Several  ERM 
frameworks  offer  detailed  instructions  on  the  process 
of  implementing  successful  risk  management.  But 
experts  like  Cowperthwaite  advise  being  wary  of  the 
frameworks,  arguing  that  they  are  mainly  about  com¬ 
pliance  with  regulations. 

Compliance  goals  are  worthwhile,  he  says,  as  part 
of  due  diligence  and  accepted  practice,  “but  that’s  not 
real  risk  management.” 

“A  risk-based  program  should  fundamentally  ask 
itself,  ‘What  things  pose  a  threat  that  I’m  vulnerable 
to,  and  how  will  I  solve  it  so  I  reduce  my  vulnerability 
or  the  threat?” 

As  an  example,  he  notes  that  a  given  person  could 
be  killed  by  someone  with  a  gun.  Compliance  might 
dictate  that  he  wear  a  bulletproof  vest.  By  contrast,  a 
risk-management  approach  would  ask  if  there  is  some¬ 
body  who  is  a  threat  to  that  person,  who  owns  gun  and 
doesn’t  like  him. 

“There  are  lots  of  ways  to  deal  with  that,”  he  says. 
“You  could  take  the  gun  away,  wear  a  vest ,  or  not  go  out 
in  public.  But  we’re  only  going  to  solve  the  problem  if 
we  think  of  both  the  vulnerability  and  the  threat.” 

Stiennon  argues  that  the  job  of  the  CSO  is  not  so 
much  to  evaluate  risk  as  it  is  to  practice  threat  man¬ 
agement,  which  he  says  means,  “Look  at  that  attack 
surface  from  the  perspective  of  the  attacker.  First,  his 
targeting  and  valuation  of  assets  may  well  be  com¬ 
pletely  different  than  the  valuations  of  the  defender. 

“Second,  the  attacker  is  not  perturbed  by  perfectly 
patched  systems.  He  either  uses  a  zero-day  vulner¬ 
ability  that  cannot  be  known  or  protected  against,  or 
he  targets  the  individuals  that  have  access  to  the  target 
data  and  uses  their  authenticated,  authorized  access 
to  steal  what  he  is  after.” 

The  way  to  do  that,  he  says,  is  to  use  published 
reports  and  information- sharing  teams  to  “get  a  step 
ahead  of  the  attackers  by  researching  their  meth¬ 
ods  and  targets.  Assign  responsibility  to  a  team  to 
thwart  targeted  attacks.  Do  this  outside  the  risk-man¬ 
agement  team.” 

Cianfrocca  says  he  sees  reason  for  optimism.  “Some 
industries — large  manufacturing,  military  and  critical 
infrastructure — are  becoming  aware  that  their  existing 
practices  are  not  good  enough,”  he  says. 

“It’s  fascinating  to  me  that  the  urgency  is  very  high. 
It’s  like  seeing  elephants  dancing.” 


■  Taylor  Armerding  is  a  frequent  contributor  to  CSO. 


July/August  2013  www.csoonline.com  31 


I 


Ten  Tweets:  Gunter  Ollmann 

@gollmann 

lOActive  CTO  Gunter  Ollmann  talks  security 
philosophy,  changes  in  the  industry  and  his  love  for 
boutique  delicatessens  in  140  characters  or  less 


CSO:  Let’s  start  with  your  background.  How  long  have  you  been 
in  security  and  how  did  you  get  started? 

Gunter  Ollmann:  I  started  in  “security”  back  in  1982, 
breaking  software  and  writing  hacks  and  trainers  for  games 
back  in  New  Zealand. 


What  first  intrigued  you  about  security  that  brought  you  to  that 
line  of  work ? 

Games,  etc.,  were  very  expensive  in  New  Zealand,  so  it  was 
popular  to  hack  for  most  kids.  Running  my  own  [bulletin 
board  system]  meant  I  had  to  secure  that  too. 


You’re  at  lOActive  as  their  CTO,  a  job  you’ve  been  in  for  almost 
six  months  now.  How  have  things  been  going? 

I’m  having  a  fantastic  time  with  lOActive.  It’s  great  to  be 
back  in  security  consulting  after  5  years  running  product 
R&D  teams. 


What  have  you've  been  working  on  in  the  new  position? 

Developing  new  “chip-to-code”  service  offerings.  In 
particular  semiconductor  reverse  engineering  and  security 
design,  including  [integrated  circuit  security]. 


Sounds  interesting.  What  would  you  say  is  a  big  catalyst  for 
change  in  the  industry  in  the  past  two  or  three  years? 

I’d  say  the  paradigm  change  of  acknowledging  that  we  will 
constantly  be  breached  somehow,  and  developing  realistic 
remediation  strategies. 


And  how  do  you  think  the  industry  as  a  whole  is  adapting  or 
reacting  to  this  “new"  reality? 

Detection  tools  are  shifting  from  “attacks”  to  “attackers.” 
[Information  resources]  is  de-skilling  to  help  desk. 
Forensics  moving  to  re-imaging. 


What’s  your  security  philosophy? 

My  philosophy  is  to  expend  effort  on  identifying  key 
intellectual  property  and  prioritize  defenses  on  that. 
“Protecting”  everything  is  a  fools  errand. 


Give  me  three  words  that  you  think  are  essential  characteristics 
for  working  in  security. 

Does  ADD  count  as  three  or  one?  0_o  “ADD,”  “skeptical”  and 
“multitasker.” 


Funny!  OK,  complete  this  sentence:  “If  I  didn’t  work  in  security, 

I  would..." 

I’d  probably  own  or  run  a  chain  of  high-end,  boutique 
delicatessens.  I  may  still  do  that  when  all  the  vulnerabilities 
are  gone. 


Ha!  That  could  be  awhile.  One  last  question:  Pass  the  buck  now. 
Who  should  we  tweet  with  next? 

Two  folks  I  respect  in  the  security  world  are  David 
Litchfield  of  “unbreakable  Oracle”  fame  (@dlitchfield) 
and  Malcolm  Harkins,  Intel’s  CISO.  They’re  both  worthy. 


32  www.C80online.com  JULY/AUGUST  2013 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


For  more  information  please  visit 

www.SecuritySmart.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2012  CXO  Media  Inc. 


BU 


SINESS  RISK  LEADERSHIP 


AUTHENTICATE  PHYSICAL  IDENTITIES, 
AUTOMATE  PHYSICAL  ACCESS, 

ACHIEVE  AUDIT  &  COMPLIANCE  24/7 

The  SAFE  Software  Suite  centralizes  your  disparate  physical  access  platforms  into  a  policy-based 
system  that  automates  physical  identity  and  access  management.  SAFE  ensures  that  the  right  physical 
identity  has  the  right  access  -  for  the  right  reasons  -  at  the  right  time.  With  instant  verification  of  who  is 
where,  why  they  are  in  that  location,  and  who  authorized  their  physical  access.  All  managed  automatically 
to  achieve  full  auditability  and  compliance  to  various  regulations.  SAFE’S  ability  to  automate  these 
processes  drives  down  operational  costs.  It’s  the  most  efficient  way  to  manage  employees,  contractors, 
visitors  and  their  access  lifecycle  in  your  organization.  Make  your  world  SAFE  with  Quantum  Secure. 


QUANTUMSECURE.COM  •  INFO@QUANTUMSECURE.COM  •  1.408.687.4587 


SAFE 

SOFTWARE  SUITE 


TM 


SAFE  ATTESTATION  AUDIT 


QUANTUM  SECURE 


